Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Infosec’ Category

Ethics In Hacking and Dropping Code

leave a comment »

With the release of Autosploit, a tool for automatically scanning and exploiting hosts located via Shodan.io, a shit storm erupted on the ethics of releasing a tool like this. The problem has become just how easy it may now be to automate the attacks on vulnerable systems en masse that this tool could potentially provide. In an age where IoT devices as well as SCADA and ICS are sitting online in vulnerable states makes the possiblity of great damage to large networks more probable with such a tool. It also brings to the table the idea that the barrier to success on such attacks has been lowered to a new class of individuals with a limited knowledge base and creates an asymmetric threat model of a single individual able to wield greater attack capabilities with one tool.

Many arguments have been made on Twitter about the efficacy of releasing code like this but most have not focused on tools per se but instead on malcode or 0day’s. Now that there are bug bounty programs and companies that sell vulnerabilities we are living in a more dangerous time where the few with the money could buy exploits and do mass damage or commit mass surveillance and espionage. This also applies to countries willing to pay for 0day exploits to be in control of the attacks and have the upper hand. Think about that, our politics and our lives are at the mercy of code being sold to the highest bidder. We have weaponized code and tools made from it on a medium that was supposed to enlighten and bring us all together. Instead our baser nature has made the internet and everyone’s devices a tool for repression or subversion.

After the release of Autosploit, the hue and cry went up, and rightly it did. In a time where we have people releasing code and remarking “Let the world burn” I think it is time that we began to talk about the ethics of doing these things. Ethics kids is a philosophical discipline where you consider the moral responsibilities of what you do and the effects your actions could have. I think that too many people of a certain age group have had little to no training on ethics and this has helped to lead us to where we are today. In this specific case let’s talk about the ethics of releasing any code or tool that would lead to potential disastrous effect.

Many tools over the years have been dropped for free by hackers out there that could and were abused by others who downloaded and used them for their own desires. I have been exhorted to mention things like BackOrifice or L0phtcrack in the past and, well, there you go. Both tools were used for bad purposes as well as ostensibly good in the hands of penetration testers. Of course these were just placed on the net for free for anyone to have at first and this is where the quandary starts right? Did L0pht or CDC consider the potential damage that could be done with their tools? Did they put them out there with some self awareness that they may in fact be complicit in crimes because the tools that they created and distributed, for good or for ill, could be misused?

I point you all to Alfred Nobel, the inventor of Dynamite. He created a tool that would help in mining but in the end that tools devastating effects were used in other ways to hurt people and wage war. In an obituary that was accidentally run about him instead of his brother, he learned what the world perhaps thought of him regarding his invention. This bothered him so much that to atone for his actions he created the Nobel Prize to further science and other pursuits that do not further the harm of others. The idea that his inventions use for ill and how he would be perceived by history prompted his ethical response.

Today, we have people creating tools that could be misused and in some cases are for the sole purpose of misuse. The Autosploit tool may be a boon for some penetration testers, but the reality is that it is just another mass scan tool that seeks out vulnerable systems throughout the whole of the internet and loads the exploit potential to just break into them. This is not a refined tool for a scoped penetration test, this is a tool for mayhem. This is why I think others have made comments about the way it was released and the dangers in doing it so. The ethics though seem to have been glossed over concerning this release. What are the ethics of Autosploit’s creation and release on a Git repo? What is the morality behind doing so? Are there arguments for either of those or is it just another hacker saying; “Let the world burn” with no thought or accountability because it is the internet?

The problem we have today is that there are no ethical demands being placed on these coders and hackers. In fact, the whole notion of hacking has a very troubled side where illegal activities are the norm because the ethical and moral question of “should I do this” has not even been contemplated over the desire to know things. Sometimes I personally think that there is a fair bit of sociopathic behaviour in this community to begin with so that actually kind of aligns with the argument that ethics have not even been contemplated in some of these works. So as we move forward into a world of cyber warfare we have to care for the ethics and morality of what we do just as we have in all other forms of warfare in the civilized world.

While people like Katie Moussouris advocates for penetration testing tools being classified in ways that they are not declared illegal, we too have to look at the ethical concerns of the tools and how they are released to the world at large. Wassenar is a great idea but I feel that it is a myopic approach to larger issues in our ever more connected world. If you look at the actions of the Balkanization of the internet, you can see the actions of China and Russia joining together in a pact to repel the US hegemony in the internet you have to follow that all the way back to the tools that make such issues possible. The tools that you all create for hacking and exploitation that you should have some ethical concerns over when they are used perhaps in ways you did not intend.

Thus, take the ethical pause before you just dump them online …Unless all you care about is watching the world burn.

K.

Written by Krypt3ia

2018/02/02 at 20:12

Posted in Infosec, Uncategorized

I Am Danny Glover: I Am Too Old For This Shit

with 2 comments

Welp, I am gonna say what others I interacted with this year at Defcon imparted in person. Just gonna rip the Band-aid right off, no Bactene, nada….

Defcon has become too big for it’s own good.

There, I said it…

*waits for inevitable whining and recriminations from those who love it and run it*

Really though, the congestion even in Caesar’s was too much to deal with and certainly the fact of getting into lines and then not seeing the talk because you were too far down said line is… Well.. Disappointing to say the least. Add to this that you can see the media later online, why the fuck am I going to attempt to brave the hoards and pay $260 to attend? Everyone says “HallwayCon” now but even that was stupifyingly impossible because the traffic analysis had been fubar’d for this one.

Nope, I am just too old for this shit now. The paradigm of BlackHat is the new RSA, Defcon is the new BlackHat, and Bsides is the new Defcon is really true I think. I had a better time at Bsides and actually got to have substantive educational interludes as well as conversations at Bsides. I attended BlackHat this year and had classes and I also have to say that the Classes were excellent but the presentations were a bag of fail, but hey at least I got to see them. A special note goes out to Matt Suiche on spectacular fail on slides with large blocks of text and his inability to speak English clearly for the ShadowBrokers presentation. In fact, let me also add that he did not add anything to the discourse on the subject by just regurgitating, in large blocks of text on screen, things we all could just Google.

But I digress…

It seems to me now in hindsight that the only way one will get good content and a hassle free way to consume it is to pay exorbinate fee’s to see it so all the other kids aren’t there rubber necking in front of you gawping at all the shiny shiny. Even if you have to listen to the likes of the CISO of FaceCult drone on about how they are going to save the world in between laser light shows (YAY HOOLICON!)

Jesus fuck I am too old for this shit…

Next year maybe I will just do SANS…

Dr. K.

Written by Krypt3ia

2017/08/07 at 21:01

Posted in Infosec

Eugene and the DoD

leave a comment »

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.

K.

Written by Krypt3ia

2017/07/03 at 16:38

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34

Insider Threats: The Most Dangerous Threat

leave a comment »

Screenshot from 2016-03-14 07:58:00

On The Seven Pillars of Wisdom the notion that the “insider threat” can be one of the most devastating threats to an organization. I have pointed this out before concerning INFOSEC but I thought it would be prudent to do so again with the story of the caliphate and Abu Hamed. As a practitioner of the INOSEC arts *chuckle* one of the things that we have to take into account in the #BlueTeamLife is the insider threat and the general tenor within the organizations we work for. One has to take the pulse of the org and see what the overall temp is of the work force. Have there been layoffs? Are people generally disgruntled? Who amongst them may be a turncoat and be stealing your data or setting up the Locky malware inside your domain controllers?

All of these thoughts should cross your mind now and again as an internal player within a security organization. Frankly yes, you can have utter devastation to your network and your org from just one end user being click happy, but imagine if you will a disgruntled employee who has keys to the kingdom and a will to wreck it all as they give you the finger walking out the door. I personally have been party to one such incident that included a logic bomb and many hours trying to figure out what they did to get the org working again. You can never discount the insider threat and you shouldn’t.

The same can be said about agent provocateurs in your org as well. This may seem like fiction to you but consider where you work and what they have as data goes. Would a competitor want to steal that data? Perhaps they would instead like to burn your org down to the ground to get ahead? All of these scenarios are possible and you as the #BlueTeamLifer have to consider these things as you attempt to secure the sieve that is your networking environment.

Do you have any content in your awareness training about outsiders trying to get information from your employee base? Do you have content about not wearing badges to local bars or being circumspect at conferences? If not, perhaps you should assess your crown jewels and start creating some.

At the end of the day it is better to be prepared for this type of activity than to be totally unaware of the possibility.

Think about it.

K.

Written by Krypt3ia

2016/03/14 at 12:10

My new line of INFOSEC T-Shirts from “Everything Is Bad”

leave a comment »

Written by Krypt3ia

2016/02/12 at 15:11

Posted in Infosec

The 2015 INFOSEC KRAMPUS LIST

leave a comment »

krampus-1-web-72RECTANGLE*_550_310_s_c1_c_t

GO HERE AND VOTE NOW!!

Written by Krypt3ia

2015/11/03 at 11:41