Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘INTEL’ Category

The Emperor Is NAKED

leave a comment »

emperornaked

gedh gedh gedh gedh gedh gedh

OMG THE DAM DATA!

Last week a report came out on Wired about how the ACE (Army Corps of Engineers) database was hacked by China and “sensitive” dam data was taken.. By China, let that sink in for a bit as there was no real attribution data in the story. Anyway, aside from the BOOGA BOOGA BOOGA headlines I had to wonder just how hard it was for these “Chinese” hackers to get in and steal the all important super secret DAM data. Given the nature of this type of site and the groups involved in generating, managing, and *cough* protecting it, I had a feeling that it would be rather easy to get the information without having to be uberleet. Sure enough a quick Google Fu session showed me how easy it was to just bypass the login and password scheme as a proof of concept. You can see from the picture at the top of the page that you can just download what you like there (16 meg on dams alone) just by clicking a link on Google and then the link on the page that is not supposed to be served out without authentication.

*I feel so secure now*

So yeah, there you have it and I still cannot understand how the media types paid no attention to my attempts to make them aware of this little factoid. See, here’s the thing kids, I didn’t go any further. Nor did I download the 16 meg file because, well, no one else wants to be Aaron Swartz right? I am sure they could even try to squash my nuts over this post alone but hey, I am sick of the bullshit stories of China hacking our shit when in reality all one need do is GOOGLE the information. This is not to say that this information here is the SAME information that was allegedly stolen by China, but it is a PROOF OF CONCEPT that the site, EVEN TODAY is still insecure and leaking information without authentication!! (yes above pic was taken today via a tor node) So, when I stopped there one has to continue to wonder if you looked further and enumerated more of the site by directory walk could you in fact get even more access?

Feel the derp burn…

OMG CHINA!

Meanwhile back in the hallowed halls of Congress and the Pentagon we have reports coming out in pdf that China is hacking our shit to gain a better “war footing” by taking such data as what this story is all about. DAMS COULD BE BLOWN! WATER COULD LEAK! LIVES LOST! yadda yadda yadda. If you were to take it seriously then one would think that SECOPS demands that this data would be classified and protected per classification. Obviously it wasn’t given the access that you see above as well as the alleged password issue that the hack was allegedly predicated on in the Wired article. But I digress.. I am meaning to talk about China… Yes, so the DOD puts out a report that is subtly saying that no longer are the Chinese only looking to steal IP but now they are looking for ways to stalemate us in war.

*blink*

NO WAY! Like we aren’t doing the same thing everywhere else as well? Derp! Look, it’s only natural that they would be doing so and their doctrine says as much. Just go take a read of their doctrine on all things cybery and you will see that the domination of the infoscape is really important to them. We have only been paying attention for a little while now and we have catching up to do! Alas though, not all roads lead to China so really, I would love to see some attribution on this alleged hack on the dam data when one, once again, could just GOOGLE that shit up. As they say on the internets.. “Pictures or it didn’t happen!”

OMG FAIL!

So here we are again. Our cybers are FAIL and the news media perpetuates more FAIL with their non depth articles on the problem. Maybe China stole some dam data. BIG WHOOP. The real story is that the site that it came from and the people watching it are not paying attention to the cyberz. Their clue phone is broken! They do not know how to “Internet” and it is just another derpy hype cycle in the media that allows China to be blamed for our own stupidity. I swear somewhere there is a Chinese guy laughing like Chumley rolling on the ground over this.

Smell our own fail kids… And weep.

K.

Written by Krypt3ia

2013/05/08 at 16:05

BofA Gets A Burn Notice

leave a comment »

data-deeper

rode bb iqdnpmbia fpn’k ybi lr qektrf?

PARANOIA 

par·a·noi·a

[par-uh-noi-uh]  

noun

1.

Psychiatry. a mental disorder characterized by systematized delusions and the projection of personal
conflicts, which are ascribed to the supposed hostility of others, sometimes progressing to
disturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.
2.

baseless or excessive suspicion of the motives of others.
Also, par·a·noe·a  [par-uh-nee-uh]  Show IPA .
Origin: 
1805–15;  < Neo-Latin  < Greek paránoia  madness. See para-, nous, -ia

Paranoia , the Anonymous intelligence division (self described) published a dump of data ostensibly taken from Bank of America and TEK Systems last week. The information presented seems to show that BofA had contracted with TEK to create an ad hoc “Threat Intelligence” unit around the time of the LulzSec debacle. Of course since the compromise of HB Gary Federal and the revelations that BofA had been pitched by them to do some contract work in the disinformation business it only makes sense that BofA would set up a threat intel unit. The information from the HB Gary dumps seemed to allude to the fact that BofA was actively looking to carry out such plans against those they perceived as threats. Anons out there took great umbrage and thus BofA was concerned.

This blog post is being put together to analyze the data dumped by Anonymous and to give some perspective on what BofA may have been up to and to set some things straight on the meanings of the data presented by Paranoia. First off though I would like to just say that I think that generally BofA was being handed lackluster threat intel by a group of people with intelligence background. (for those names located in the dumps their LinkedIN pages showed former mil intel work) This of course is an opinion formed solely from the content that was available online. There may have been much more context in formal reports that may have been generated by the analysts elsewhere that was not open for the taking where Anon found this dump. The daily and monthly reports found in the database showed some analysis but generally gave rough OSINT reports from online chat logs, news reports, and pastebin postings. There seemed to be a general lack of product here and as such I have to wonder if there ever was or if perhaps those reports never made it to the internet accessible server that anonymous downloaded them from.

B of A’s THREAT INTELLIGENCE TEAM

Since the leak of their threat intelligence BofA has been recruiting for a real team it seems. A Google of the parameters show that they have a bunch of openings all over the place for “Threat Assessment” It makes sense since the TEK Systems team may in fact be mostly defunct but also that they likely would want an in house group and not have to pay overhead on consultants to do the work for them. TEK’s crew as well may have been the problem that caused the leak in the first place by placing the data in an accessible area of a web-server or having passed the data to someone who did not take care of it. Either way it looks as though BofA is seeking to create their own intelligence apparatus much as many other corporate entities are today. The big difference though is what exactly is their directive as a group is to be.

One of the problems I have with the Paranoia analysis is that they take it to the conspiratorial level and make it out to be some pseudo CIA like entity. The reality though is that from what has been shown in the documents provided, that this group really was only tasked with OSINT and threat intelligence by passive listening. This is a key difference from disinformation operations and active participation or recruiting of assets. I will cover this in more detail further on in this post so suffice to say that what BofA was doing here was not only mediocre but also not Machiavellian in nature. The argument can be made though that we don’t know the whole picture and I am sure Paranoia and Anonymous are leaning that way. I cannot with what I have seen so far. What I see is an ad hoc group of contractors trying to create an intelligence wing as a defensive maneuver to try and stay ahead of incidents if not deal with them more effectively should they not be able to stop them.

Nothing more.. Nothing less.

Threat Intelligence vs. Analysis and Product

All of this talk though should be based on a good understanding of what intelligence gathering really is. There are many variations on intelligence tasks and in this case what is clearly seen in the emails and documents is that this group was designated as a “Threat Intelligence” collection group. I have written in the past about “Threat Intelligence” and the misnomer many have on the idea that it is some arcane CIA like pursuit. One of the bigger problems overall is perception and reporting where intelligence gathering is concerned. Basically in today’s parlance much of the threat intelligence out there in INFOSEC is more around malware variants, their C&C’s and perhaps who are running them. With the advent of APT actors as well as criminal activity and entities like Anonymous the paradigm of threat intelligence has come full circle back to the old school idea of what it is from the military sphere of operations.

Today’s threat intelligence is not only technical but also human action driven and this makes it even more important to carry out the collection and analysis properly in order to provide your client with the information to make their decisions with. Unfortunately in the case of the data from BofA we see only sketchy outlines of what is being pasted online, what may be being said in IRC sessions, and what is in the news. Nothing overly direct came from any of the data that I saw and as “product” I would not be able to make much of any decisions from what was presented by TEK Systems people. What is really missing within the dump from Paranoia was any kind of finished analysis product tying together the information in a cogent way for the executives at BofA. Did TEK actually carry this type of activity out? Were there actual reports that the execs were reading that would help in understanding the contents of the raw intelligence that was being passed on in emails daily and monthly? I cannot say for sure. What I did see in the reporting (daily threat reports as well as monthly) were some ancillary comments by a few of the analysts but nothing overly structured or productive. I really would like to know if they had more of an apparatus going on here as well as if they plan on creating one again with all of the advertised positions in that Google search above.

Threat Intelligence vs. HUMINT

This brings me to the whole issue of Threat Intel vs. HUMINT. It would seem that Paranoia thinks that there is much more than meets the eye within the dump that makes them intone that there is a HUMINT (Human Intelligence) portion to the BofA program. While there may well be some of that going on it was not evident from any of the documents I looked at within the dump files. HUMINT would imply that there are active participants of the program out there interacting with the targets trying to recruit them or elicit information from them. With that kind of activity comes all of the things one might conjure up in their heads when they think on NOC (Non Operational Cover) officers in the CIA trying to harvest intelligence from sources (assets) in the field. From everything seen that was posted by Paranoia this is not the case.This operation was completely passive and just collecting data that was in public view aka OSINT. (Open Source Intelligence) Could BofA be seeking to interact more with Anon’s and generate more personal data other than that which the Anon’s posted about each other (DOX’ing) sure but there is no evidence of that. Given the revelations with HB Gary though I can see why the Anon’s might be thinking that they are likely taking more robust non passive actions in the background elsewhere though. Overall I just want everyone to understand that it’s not all cloak and dagger here and seems that Paranoia has a flair for the dramatic as a means to get their point across. Or, perhaps they are just living up to their name.

Assessment

My assessment in a nutshell here of the Paranoia BofA Drop is as follows:

  1. Paranoia found some interesting documentation but no smoking gun
  2. TEK systems did a mediocre job at Threat Intelligence with the caveat that I am only working with the documents in plain view today
  3. BofA like any other company today has the right to carry out this type of activity but they need to make sure that it’s done well and that it isn’t leaked like this
  4. If more documents come out showing a more in depth look at the OSINT being collected then perhaps we can change the above findings
  5. BofA needs to classify their data and protect it better on this front
  6. Paranoia needs to not let its name get the best of itself

All the drama aside this was a ho hum really. It was funny seeing all the analysts taking down their LinkedIN pages (really, how sekret squirrel is it to have a LI page saying who you work for doing this kind of work anyway? SECOPS anyone?) I consider those players quite burned and assume they are no longer working on this contract because of it. All you analysts out there named, you are now targets and you are probably learning SECOPS the hard way huh? I guess in the end this will all just be another short chapter in Encyclopedia Dramatica and an object lesson for BofA and maybe TEK Systems.

For everyone else.. It’s just LULZ.

K.

Counterintelligence, False Flags, Disinformation, and Network Defense

with one comment

//B zrxr wwmpxjnp vf ygwyr jh kur gig vvbxv nf o “yinwf zcnt”. Ilmf xp vv lbi vwwpe grxr mhct sxh ubpifmpxt qzgu o izkruyi nar t tcqjhrgrf. Mpgwf xrlf hawwki, CU’f uoom oehhvgvq lbtmqm, ybywzzcqt, ueq vbyzcvfx nngsk ucvlm. Pbh bxmf e qlf.\\

Threat Intelligence, Counterintelligence, and Corporate | Nation State Espionage

“Threat Intelligence”, a term that is just behind the oft used “Cyber” and God forbid, “Cyber” is all too often put in front of it as well to add more oomph for sales people to sell their brand of security snake oil… “But wait there’s more!” We also have other spook terms being kluged into the INFOSEC world now because, well, it’s cool to those cyber warriors out there. I know, I sound jaded and angry, which, yes, yes, I am, but… Well, it’s just gone completely off the rails out there. I hear people talking about these topics as if they know what they are talking about even with the exceedingly limited scope of digital security matters (i.e. hacking/forensics/defense)

I would like to clear the air here a bit on these terms and how they do really apply to the world of INFOSEC that we in this business now find ourselves in, one littered with military and spook terms that you may not be really familiar with. First off, lets look at the terms that have been thrown around here:

Threat Intelligence: In the spook world, this is the gathering of intelligence (HUMINT/MASINT/SIGINT etc) to determine who has it in for you and perhaps how they plan on getting at you.

Counterintelligence: Spies who hunt other spies (Mole Hunts etc)

Espionage (Nation State and Other) The umbrella under which this whole rubric exists. Nation state and other have the component of “Industrial” as well (i.e. IP theft)

Ok, so, where once we used to only have people in three letter agencies worried about “ThreatIntel” we now have the INFOSEC community looking at “threats” to their environments and calling it “Threat Intelligence” now. While it’s a cool name, does it really apply? What was it before the whole APT thing broke as well as the cyberwar-palooza we have today? For the most part, I can see only half of the term applying to any non state entity or three letter agency and that is of what “threats” are out there today. This means what exploits and pieces of malware are out there that your environment would be susceptible to.

Nothing else.

That is unless you suddenly have a company that has decided to launch its own “Intelligence arm” and yes, this has happened, but usually only in larger companies with defense contracts in my experience. Others though, have set them up, like Law firms, who then hire out ex spooks to do the work of counterintelligence as well as intelligence gathering to have an edge over everyone else. Perhaps this is bleeding out into other areas as well in corporate America huh? The point here for me is that unless you have an intelligence arm (not just INFOSEC) you should not be using the term “Threat Intelligence” as an encompassing statement of “there’s malware out there and this is what it is” Point blank here, IF YOU AREN’T DETERMINING WHO YOUR ADVERSARY IS AND WHAT THEIR PLAN IS… IT”S NOT THREAT INTELLIGENCE.

Looking at IP’s on an SIEM and reacting to a triggered event is not threat intelligence. It’s INCIDENT RESPONSE. It’s AFTER THE GOD DAMN FACT OK?

So, stop trying to make it sound cooler than it really is people. To further this idea though, we still have “Counterintelligence” which FOR FUCKS SAKE I have personally seen in a title of a complete MORON at a large company. This fucker sits around all day looking at his stock quotes though, see, it’s just a cool title. It has no meaning. UNLESS you really have an operational INTELLIGENCE UNIT in your company.

*Look around you.. Do you? If not then STFU*

If you do have a real intelligence wing in your org that carries out not only COUNTERINTEL/INTEL/HUMINT/THREATINTEL then more power to you. If not, you’re deluding yourselves with militaristic terms and cyberdouchery… Just sayin.

However, the way things are going with regard to the world, I should think that you might see more of these kinds of intelligence arms springing up in some of the larger corporations of the world. It’s a rough world and the fact that everything is networked and global has primed the pump for these kinds of activities to be a daily operations tool. It’s now the blurring of the lines between what nation states solely had the control and aegis over to now its becoming privatized and incorporated.

William Gibson saw it.. Phramacombinats and all.

False Flags and Disinformation Campaigns

Which brings me to the next level of affairs here. When I was on the DEFCON “Fighting Monsters” panel, I made some statements that seem to have come to pass. I spoke about how Anonymous would have to worry about “False Flags” against their name as well as expand upon the idea that Pandora’s box had been opened. Nothing on the internet would really be the same because we all had moved into the “spook world” by the actions of Anonymous as well as things like Stuxnet. The lines had been blurred and all of us net denizens need to be aware that we are all pawns in a series of greater games being played by corporations and governments.

Since then, we have seen many disinformation campaigns (think sock puppets on social media, fake news stories, rumours, etc) as well as false flag actions where Anonymous may have been blamed or named for actions that the core did not carry out. So many times since then we have seen Anonymous attempt to set the record straight, but, like I said before, who’s gonna believe them because they are “anonymous” and disparate right? Could be anyone… Could be them… And with previous actions, are they to be trusted when they say they did not do it? See, the banner thing (hive mind) has a tremendous proclivity for severe blowback as they have learned.

What’s sauce for the goose though, is also good for the corporate, political, private gander right? How many Acorn operations do you need to see happening in the election cycle to realize that this has been going on for some time and that, now, with the internet, its easier to perform these kinds of operations with a very small group with minimal effort as well? Pandora’s box was not only opened, it was then smashed on the floor and what was once contained inside has been forever unleashed upon us all.

Yay.

Now, going back to you INFOSEC people, can you then foresee how your companies reputation or security could be damaged by false flag operations and disinformation? A recent example may in fact be the attack purported to be on against Josh Corman of Akamai because he said some things that “some” anonymous players did not like. Were they really out to get him? Were they doing this out of outrage or was there another goal here? What you have to ask yourselves is, what is my company and it’s employees susceptible to in this area? Just as well, this also applies to actual attacks (DDoS etc) they could be signal to noise attacks. While the big attack is going on, another team could be using the fog of war to sneak into the back door silently and un-noticed.

See where I am going there?

In the case of Josh, do they want to D0X him or do they want to force Akamai to maybe flinch and let him go because of bad press, and potential attacks on their infrastructure and management?

Ponder that…There are many aspects to this and you have to have a war mentality to grasp it at times. Not all attacks frontally are the real attack today. Nor are all attacks on players what they may seem to be in reality, the adversaries may in fact have a longer game in mind.

Network Defense and Network OFFENSE

Ok, so back to reality today with many orgs and their INFOSEC programs. You are looking to defend your network and frankly you need not have “cool” names for your program or its players. What you need is to be mindful of your environment and pay attention to the latest attacks available that would affect it. Given today’s pace though, this makes just about everything suspect. You can get yourself an IDS/IPS, an SIEM, Malware protection, and all kinds of things, but, unless you know where shit is and what it is, you lose the big game. So, really, threat intelligence is just a cool name for an SIEM jockey today.

Like I said, unless you are doing some real adversary profiling and deep inspection of attacks, players, motivations etc, you are not doing THREATINTEL. You are minding the store and performing network defense… i.e. your job.

Now, on the other end of the spectrum lately, there have been certain douchenozzles out there saying that they can sell you services to protect your org with “OFFENSE”

*blink blink*

Offense you say? Is this some new form of new SPECWAR we aren’t aware of? Firms like the more and more vaporware company “Crowdstrike” seem to be offering these kinds of services, basically mercenaries for hire, to stop those who would do you harm. What means are they going to employ here? Obviously performing what they see as intelligence gathering, but then what? Once you have attribution will there then be “retribution” now like so many Yakuza centric stories in Gibson novels? I’m sorry, but I just don’t see this as viable nor really any kind of a good idea whatsoever… Leave it to the three letter agencies.

Alas though, I fear that these companies and actions are already at work. You can see some of that in the link above to the book I reviewed on private intelligence and corporate espionage. Will your data be a part of a greater corporate or government conspiracy? Some black ops mumbo jumbo over your personal information perhaps? Part of some retribution for some attack perceived to have happened to company A by company B?

Welcome to the shadows and fog of espionage kids.

Going “Off The Reservation”

Overall, I guess I just wanted to lay some things out there and get people’s heads around the amount of douchery going on today. We collectively have gone off the reservation post 9/11 with PII, Privacy (lack thereof) and hacking. That entities like Anonymous came to be and now see the governments and corporations of the world as dark entities isn’t so hard to see when you look at the crap going on out there. What we saw in Team Themis was just one small spec in a larger “Cyber Beltway Banditry” going on today. Look to the other side where you have Fusion centers with private INTEL gathering capacities tossing out absolute crap yet spending BILLIONS of dollars and, well, there you have it.

Monkeys with digital guns.

We are off the reservation already and it’s every man  (or woman) for him or herself.

In the end though… If you have a title that says something like “CHIEF INTELLIGENCE OFFICER” on it, you’d best be at a three letter agency.. If not, then you are deluding yourself with EPIC DOUCHERY.

K.

Three Days of The Condor… With Malware…

leave a comment »

Rvy taes eha qgcq tlmbvq tqsix. Px iiuz ytwtqn cvzl dek. Yxi dtf fq wjzbbuk. Yahpv moi riagk lbrzy mop hm xte bdibuk. Mnm o tty aulu gchd fqsrrv rvy, mnm o uhvv iiuz filr, mnm gfflsze hcl dusi, mjmsx lzqn cflla, aulu uvm vyf oo hyx jed. Awr yx dmxl bazel, e nelcdbuk emrzv. Ubx te fwce simvn cgxu xte mcfk vj fhn qrk hrp ootvk as sies phb e xioh.


Turner: Do we have plans to invade the Middle East?
Higgins: Are you crazy?
Turner: Am I?
Higgins: Look, Turner…
Turner: Do we have plans?
Higgins: No. Absolutely not. We have games. That’s all. We play games. What if? How many men? What would it take? Is there a cheaper way to destabilize a regime? That’s what we’re paid to do.
Turner: So Atwood just took the games too seriously. He was really going to do it, wasn’t he?
Higgins: A renegade operation. Atwood knew 54/12 would never authorize it, not with the heat on the company.
Turner: What if there hadn’t been any heat? Suppose I hadn’t stumbled on their plan?
Higgins: Different ballgame. Fact is, there was nothing wrong with the plan. Oh, the plan was all right, the plan would’ve worked.
Turner: Boy, what is it with you people? You think not getting caught in a lie is the same thing as telling the truth?
Higgins: No. It’s simple economics. Today it’s oil, right? In ten or fifteen years, food. Plutonium. And maybe even sooner. Now, what do you think the people are gonna want us to do then?
Turner: Ask them.
Higgins: Not now — then! Ask ’em when they’re running out. Ask ’em when there’s no heat in their homes and they’re cold. Ask ’em when their engines stop. Ask ’em when people who have never known hunger start going hungry. You wanna know something? They won’t want us to ask ’em. They’ll just want us to get it for ’em!
Turner: Boy, have you found a home. There were seven people killed, Higgins.
Higgins: The company didn’t order it.
Turner: Atwood did. Atwood did. And who the hell is Atwood? He’s you. He’s all you guys. Seven people killed, and you play fucking games!
Higgins: Right. And the other side does, too. That’s why we can’t let you stay outside.

The Geopolitics of Fossil Fuels

Since the discovery of fossil fuels (oil and the derivative of gas from it) we have had a real love affair with it. Though it was tough to get out of the ground and then refine into a usable product we decided that it was the best alternative to keeping our lights on and our cars running. Since then, the resources have become the aegis of foreign and domestic policies globally, and likely will continue this way until the last drop of fuel is burned by some car somewhere. It’s these policies that I believe are driving the recent attacks on oil and gas firms within the Middle East recently. There may be some tit for tat as well, and maybe a warning to certain players, but, overall, it seems to me that a game is being played. Of course, all the games have been being played in the region of the Middle East because of the need for fossil fuels, anyone who says otherwise I think, well, is delusional.

Whether or not you are a “tipping point” believer, in general, we have seen over the years many instances where the Med has affected and still affects today, the price of gas and thus, the cascade effect prices on just about everything because we are dependent on the gas to move things, to grow things, to.. Well you get the point right? No gas means no economy really today. So, this is an imperative and those countries seeking to gain access to said fuel resources would not be above trying to get a competitive edge over others, never mind the possibilities of gaming the owners of the resource from the start right? Add to this the pressures today of the instability in the region (and really, when has it ever been really steady?) and you have quite the motive to use espionage to get that advantage and deny others the access they too desire.

It’s with this in mind that I have been sitting back and watching the events with Saudi Aramco and RasGas with some interest. I have been reading the news reports as well as the malware assessments and cannot help but see a parallel with the movie “Three Days of the Condor” from 1975. The story line moves along the lines of an analyst finding an unsanctioned plot to overthrow a government in the Middle East over oil. This film stuck with me since seeing it as a kid in the 80’s and I have quoted it before in posts on other things. This time around though, I think we are seeing some more direct actions by persons unknown, to manipulate the playing field where oil or fuel resources are concerned..

Albeit with a modern twist for today.

Spygames  with Malware

Virus origin in Gulf computer attacks in question

New Virus Hits Oil Giant, LNG Producer

At least two types of malware are alleged to have penetrated Saudi Aramco and RASGAS in the last month or two. Not much is known about them, though Shamoon aka W32.Disttrack seems to have been pulled apart a bit by Symantec. Not much has been really made in the press over these attacks and those attacked have been quiet as well. Both RasGas and Saudi Aramco though, made statements that none of their production or distribution systems were affected by the malware, a claim that they have not really backed up with facts I might add. However, as far as we can see thus far, those statements are overall true because there are no reports of system breakdowns in getting the product to and from the companies collectively.

As it would seem from the analysis thus far of Shamoon, the malware seems to be the run of the mill data thievery type that is almost COTS in a way. The more interesting bits seem to be around the “wiping” feature that was written into it. Why the malware was made to wipe the MBR is a bit of a mystery to me and seems rather amateurish in a way that leads me to believe either someone is playing it very smart, or, they are just malicious.

I can’t be sure which…

While the method of wiping is not as exotic as the so called “wiper”  Shamoon corrupts the MBR of the system and game over. I have not seen in any of the data so far (via googling) a means of triggering the wipe sequence on Shamoon though. One wonders if it’s just timed out or is there some trigger if it is detected or tampered with? Also, it is interesting to note that the name “Shamoon or Simon” is from a folder listed in the malware as well as the fact that this was targeted to the “Arabian Gulf” as the wiper module alludes to as well. So, this seems to have been a targeted attack from these bits of data and the fact that it’s penetration out in the wild is low from what I have seen online. It is likely that this was initiated by a directed phishing attack at the companies afflicted and worked it’s way through their networks. Networks by the way, that may not in fact have been separate from the ICS/SCADA networks, which it seems may not have been directly “affected” because the payload did not include any attacks on said systems. The only fallout would likely come from a PC getting wiped which could easily be re-imaged or replaced with a working copy.

Still.. What was the goal here? What data was taken? In the case of both Saudi Aramco and RasGas, a look with Google (Google Fu) shows that both companies had quite a bit of data hanging out there to exploit and use in an attack. Today though, most of their data has been redacted, but, you still can get some cached copies of interesting tidbits. Given that they were loose before, one might imagine that they were a rich target environment for the malware to ex-filtrate all kinds of documents to the C&C server. It would take a lengthy investigation as to their market placement and any potential deals ongoing to give some more context I think, but doing so would be an interesting diversion to understand these attacks a bit better as to motive though.

The Possible Players in Shamoon/Wiper/UNSUB Malware Attacks

With all that said, then who would be the likely players here? Is this nation state? Is it corporate espionage and acts of attrition in an ongoing oil war? It’s hard to say really. One source indicated to me that perhaps it was a move by Russia to give the hint to Iran on some internecine plot over power plays in the region. I personally think that the whole “cutting sword of justice” claim that they took down Saudi Aramco is bunk but hey, maybe a cabal of hackers did this to… Well do what? Perhaps there is more yet to be dumped online in a pastebin to give us the proper scope here. Overall though, it’s been really low key and not much has come out like I said on what was taken, what was done, and the damages to the systems/companies involved.

So where does that leave us regarding who did this? Well, pretty much where we stared, with supposition and guess work. Was this nation state? This is an interesting question. If it was nation state, could it have been a fledgling group, like say, the IRGC and it’s cyber hacking group recently formed? Would Iran benefit from such attacks? All good questions and something we should all ponder. However, the most interesting point there might in fact be that since the Stuxnet genie was let out of the bottle, it was only a matter of time before actors like Iran would make their own variants and loose them upon others. In the case of Iran though, they too seem to have been hit with the same if not similar malware in recent days as well, but, this does not presuppose that they didn’t have a hand in it.

All in all, there just isn’t enough information to nail down a culprit or culprits.. But, it does show us a precedent that we should all worry about just as much as we should over certain instances of attacks against pockets of ICS/SCADA implementations. What I am talking about is blowback from attacks.

Blowback

Blowback usually refers to consequences coming back on those who took the action in the first place. Here though, I am not only referring to those who carried out the malware attacks, but also on the rest of the world in certain scenarios like this. By attacking systems such as these, one could in fact cause market fluctuations depending on the markets and their jittery-ness. In the case of the oil business, we have seen great changes in prices due to not only the control over the oil and it’s price by the cartels (Saudi) but also how the countries are feeling about their markets and the state of affairs in the world. If you start tinkering with companies of this kind and by the product of destroying infrastructure (or the perception of such) you will be affecting the prices at least for those companies directly. What if though, you were to hit more of them at the same time and cause not only damage but the “perception” of insecurity within the system of oil/gas production and distribution?

This time nothing much seems to have happened, but one can only say this because there isn’t much information out there as to what really took place on those systems and networks. What if this played out another way, with much more press and obvious damages? This would be worse and might occur the next time whether or not it was intended by the programming of the malware. This all of course depends on the scope of the attacks and with that you have to wonder about nation state vs. non state actors here. The difference being, that a nation state may attack a wider variety of systems and companies as a precursor to war while the non state actors may just be looking for information or to hobble a competitor. Both however, could have unforeseen blowback from their actions.

What all of this says though, is that Pandora’s box has been opened. All the players are now taking the field, and many of them may not be ready to play a proper game… Shamoon did it’s thing, but it seems to be more a brute force tool than an elegant piece of code and a slick plan. The blowback though is yet to be determined.

K.

“THREAT INTELLIGENCE” Sure, there’s plenty out there but, are you an analyst?

with 2 comments

Sfy fdh uua ldy lbrld nswgbbm obrkdvq C phmkmye, utn obnm mify ptm mwy vl sbw mgkznwal htn gz jahwz pvvsijs vl dpgfixc.
Lwuq fnlw ug

 

From Dell’s CTU page

Threat Intelligence

Time is of the essence when protecting your organization’s critical information assets against cyberthreats. However, finding the security intelligence that matters most to your organization consumes precious time and adds strains to in-house resources already stretched too thin. At times, days or even months can pass before vulnerabilities in your environment are patched, increasing business risk and expanding the window of exposure.

Leveraging Dell SecureWorks’ global threat visibility across thousands of customer networks, proprietary toolsets and unmatched expertise, the Dell SecureWorks Counter Threat Unit (CTU) security research team performs in-depth analysis of emerging threats and zero-day vulnerabilities.

Powered by CTU research, the Dell SecureWorks Threat Intelligence service delivers early warnings and actionable security intelligence tailored specifically to your environment, enabling you to quickly protect against threats and vulnerabilities before they impact your organization. The Threat Intelligence service enables you to reduce considerable risk by closing the window of exposure more quickly, and also enables you to spend more time devoted to quickly remediating the risks most pertinent to your organization.

Threat Intelligence services provide:

  • Proactive, actionable intelligence tailored to your environment
  • Clear, concise threat & vulnerability analyses
  • Detailed remediation information & recommendations
  • Consultation with our threat experts
  • On-demand access to extensive threat & vulnerability databases
  • Malware analysis upon request
  • XML intelligence feeds
  • Integration with other Dell SecureWorks services for correlation and unified reporting

ACRONYM SOUP

Threat Intelligence: THREATINTEL another acronym or name of something we in the INFOSEC world are now hearing as a mantra of what we need. Vendors are pimping this idea as they “cloud-ify” their solutions (SOPHOS etc) to give you the proper “Threat Intelligence” for your org. Plug in threat intelligence into Google and you will get zillions of hits that are sales pitches right off the bat. However, recently on the LiquidMatrix podcast the question was posed of “just what is the meaning of threat intelligence?”

I think that is a very important question and perhaps there are more of you out there who may not know. Certainly there are C levels out there I am sure who haven’t a clue what it means as well. A basic understanding of English will tell you that this activity involves threats and their detection, but as a company what are the threats that they would be looking for? A person with a military background may have another idea altogether of “Threat Intelligence” as they may not be so much focused on network or computer issues. Instead they may focus on physical security and the threat of individuals. Still others with a mind toward the world of intelligence, may see a more nuanced picture of the same term with bigger pictures and more subtle ideas.

The upshot here is that for each person or group that takes up the idea of monitoring threat intelligence, they first have to know what they are particularly interested in keeping an eye on, and how their organizations need that intelligence to work for them.

Threat Intelligence Takes Many Forms

In today’s world and from where I am seeing (or actually hearing it used most) is in the world of information security. In this instance, and for the thrust of this article I would like to define the types of threat intelligence that we should be paying attention to in no specific order as all are an equal part of the larger picture:

  • Malware types and propagation
  • Phishing exploits in the wild and their modus operandi
  • Vulnerabilities out in the open (new and old)
  • Your AV and IDS/HIDS/NIDS capabilities (stratified? Not? Multiple types?)
  • SIEM and Network Monitoring of health/traffic
  • Network centric asset management (a good network diagram that is updated frequently)
  • Hardware asset management (knowing what you have and where it is)
  • Software asset management (knowing what you use and what should and should not be there)
  • Network landscapes (yours and others connected to you)
  • Potential Aggressors or bad actors and their types
  • News Cycles on hackers and hacks
  • Political and social “net” movements
  • Your social media posture (PR etc) in the world at large (i.e. social media monitoring of your org being talked about)
  • The state of morale at your organization
  • Industrial espionage potentials for your org (what you hold and why it might be of interest to a nation state or other)
  • Patching and your network landscape
  • The security posture of the orgs that work with you and have connection to you
  • The threat to any orgs that you are affiliated with and connected to (i.e. higher threat and poorer security posture make for a higher threat overall to you)
  • Actionable intelligence from IDS/IPS as well as trending data from a SOC (Security Operations Center)

As you can see from the above, it’s not just getting your hands on an IDS/IPS or a SOC service and looking at the attacks currently being aimed at you. You have to know the environment, know the players both inside and outside of your organization and be able to extrapolate a big picture view that you can then drill down into and have a deep understanding of.

Is this always possible in every org? Certainly not…

However, all of these factors above could lead to a technical compromise as well as perhaps an insider leak of information that could cause you great damage. You see, this has to be a more holistic picture and not just a network centric approach in order to have a better chance at protecting yourself. The focus for many of us in the information security sphere all too often just takes the form of technical means of security when the picture is much more complex. Unfortunately though, this is where many of the companies out there looking to sell appliances and cloud services lead companies and C levels astray.

Threat Intelligence Snake Oil

Sure, a SOC and an IDS/IPS is always a good thing. I am not saying that going without one is a super fantastic idea. What I am saying is first, you have to know your appliance. Know how it works as well as what the alerts mean yourselves, not just let the service dictate to you what an alert means. Now this means that you should have technically capable people who can read an alert, know the environment well, and determine “if” an alert is indeed valid.

Remember the old axiom “A fool with a tool… Is still a fool”

SOC services today often also say they offer you threat intelligence reports. These often are regurgitation’s of news stories on current hacks that have happened as well as patches being put out for various systems. No doubt these are good, but, they don’t always have everything you need to understand the threats. This is if you even get this feature, some places may in fact only offer the IDS/IPS and it will alert you alone without real context other than a CVE and some technical details. It is important when you decide to get a threat intelligence piece in addition to an IDS/IPS service, that you look at their alerts and get a good working picture of just how much information they are collecting, it’s relevance to your org, and its timeliness. After all, if you get an important piece of data the day after an attack, its already too late right?

This is all predicated though on the idea that you have someone or group of people who understand threat intelligence principles and how to apply them to your particular environment. This is where you need “Analysts” Even with a good SOC service that has good threat intelligence for you, it’s useless unless YOU have an analyst who can interpret the data.

Threat Intelligence Requires Analysis

A common issue in the intelligence game is having analysts who understand not only the data, the complexities of environments, and the big picture view of things, but also the ability to “analyze” data and extrapolate from it in a cogent way. Recently Jeffery Carr posted a blog on Infosec Island that was particularly prescient about the need to have the right psychology when performing analysis. He is absolutely right and in his article it was specifically around the intelligence collected by agencies like the CIA. You however are likely not the CIA but, you still need to have an approach to your threat intelligence in the same vein.

The technical side of the threat intelligence needs to be married with the social and psychological as well to have the big picture view of your threats. As I mentioned above, you need to know who might have it in for you, who might target you, why would they target you, and other motivations to have a better grasp of your threat matrix. For this, you need an analyst, or analysts, not just a report from the SOC. The same can be said just for the technical side of the house as well. If you have technical alerts but no real insight into how they work as well as what you presently have in your environment, then it’s game over really. The same can be said if you don’t have an analyst who can then extrapolate all of this into a cogent means of getting it across to the C levels that there is an issue(s) and the urgency or not of remediating them.

Analyses and analysts then, are the linchpin to the whole process. Without good analysis, then the service is useless really.

Graphic from: dmrattner.com

It is paramount to have a working program of threat intelligence as opposed to just getting a service and thinking you are all set. This to me, would be the next level of “Candy Security” in that you are laying all your eggs in the basket of some service like so many still today think that they have a firewall and their all good. As we have seen in the last few years alone, the threatscape of the online world has grown from just malware that steals bank data to malware and attacks that have much broader scope and end goals as well as aggressors that are thinking much more laterally in their approaches.

So once again, analysis is key.

Final Analysis

As the complexity of attacks grow at a rate outstripping the pace of “Moores Law” the defenders have to take up a more nuanced approach to protecting their environments and their data. Reliance on technical solutions alone is not tenable, and as I have said in the past, you have to look at the creature behind the keyboard to get a better picture of the attack much of the time. A better understanding of all of the areas mentioned above will give you a higher chance of at least keeping some pace with the attacks out there against you.

Without analysis and insight, you are in an oubliet.. And you will want to “forget” because if you really think about the threats just from not knowing what goes on in your environment, you won’t be sleeping much. Consider your threat intelligence program if you have one, and if you don’t consider starting one.

K.

Written by Krypt3ia

2012/08/26 at 12:41

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments

X

Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?

K.

Defcon Grows Up and Gets Recruited As An Asset…

with 3 comments

I came to Defcon this year as it turned 20 and after much had changed on the world stage regarding our business (INFOSEC/Pentesting/Dev/SECOPS) much remained the same. What has really changed though, and could be seen at this anniversary year was just how much our antics and interests were now the new “hotness” to the government and the military. Never before had the NSA had a booth at our conference but this year, they were there with recruiting in mind and that is a big change.

However, you may be saying to yourself right about now “Uhh, but, this has been going on a while, not just now” Well, yes, it has, but, what I have noticed this last con was that it’s not all about the tech, this year, it was also recruitment of human assets who would give “intelligence” to the players like NSA. No more are they just looking for programs and programmers, but also seeking out to make connections with people who have connections. You see, as Shawn Henry said as well as General Alexnder, “we need you to keep an eye out and tell us if you see something” What I heard was the equivalent of “if you see something say something” that the TSA has plastered at airports.

This is an important paradigm that we all need to be aware of. With the advent of Anonymous and Stuxnet as well as the nascent idea of the internet becoming a “digital nation state” we all have to be mindful that while the technologies out there are a commodity, so too are we in the great game of cold war intelligence and cyber war. We are the commodity that makes the new exploit as well as being the HUMINT asset that intelligence agencies need to “collect” with.

Now, while you are pondering that, consider the fact that the “opposition” is also trying to curry favor and recruit us as well…

Yup, that’s right. That party you might be attending might in fact have operators from other countries clandestine services too. In fact, that party could even be funded by said agencies and players to get you to chat and perhaps leak meaningful information. Think about it, how many of you out there reading this post work for fortune 500 companies as security technicians? What kind of data is in your head that might be of use to a foreign operative?

Ponder that as you sip that free drink late in the day. Say, did you know that the Chinese most preferable means to gaining intel with visiting professors and the like, is to have them over tired and tipsy? It’s true, it’s low level but its been used on many an occasion. You see, once you start talking, then you open the door for more rapport building, and then it’s pretty much over. One wonders how many Los Alamos folks had the same treatment on trips to China. Now think about the average Defcon party and the amount of alcohol and sleep deprivation we have going on there.

Just sayin…

So, look at it from that perspective. Now the NSA has come to the con just as the FBI and other agencies and security bodies so too will the “other guys” I don’t know how many of you out there come from military or “other” backgrounds where you will have a DSS or counterintelligence training,but, I am assuming that a vast majority of the folks attending the cons today do not have that background, especially the younger ones who’s only been in the security arena a short time. Pentesters who know SE should be able to easily detect some of the techniques used to recruit an asset, and tease out information.. Others, maybe not so much.

So here we are today, APT (Yes China being one purveyor of APT attacks) are not only using malware to get into systems but also recruiting sources to help them in their goals. Used to be a time that it really only was the nuclear scientists getting the attention… Today though, everything is game, you might make widgets, but that doesn’t mean that someone doesn’t want to know what you know.

Pssst… It’s still espionage kids… And now YOU are part of it because you hold interesting information.

How’s that for some “Threat Intelligence” huh?

Which brings me to the second line of thinking or topic that came up this year. The government is asking us to consider more “threat intelligence” and to bring them in on the loop. See, right there, they are asking you to be an asset.. Did that occur to you? Of course I know for the most part you all thought, as I did too, that the idea was a bit silly.

Why?

Because who really has that kind of threat intel program going on today? Hell, we are all pretty much trying to just keep our shit together right? On average, unless you work for a major company,you may not even have an SIEM or even snort instance right? How are you going to convince your employer that you need that stuff and then more so, to pass that intel to the government? The only groups I have known to do this are the DIB partners, and they do it because they don’t want to lose contracts for the military.

So now, we would all be assets? All corporations out there, whether they are being attacked by APT or Anonymous, would be reporting their incursions or attempts at them to the government? That’s kinda spooky really. This also circles back nicely to the idea that we all now, all of us in the INFOSEC community are now collection nodes for SIGINT/HUMINT/MASINT/ELINT and not many of us have had the training to be analysts.

You see, when you use the words “Threat Intelligence” this has some context that some may not get right away. It’s not just what IP is hitting us and with what attacks anymore.. It’s about the context around all of that and the attribution that is needed for cyber warfare, or more likely, cyber intelligence operations. I expect to see a lot more of this lobbying going on at all of the cons as well as more people sidling up to the attendee’s and asking “so, what’s going on out there?”

For those of you not acquainted with HUMINT and it’s techniques, I suggest you read “The Art Of Intelligence” By Henry Crump and learn… Why? Because that guy you’re talking to at the cool party might just be a PRC case officer…

Interesting times….

K.

La Amenaza de Irani

with one comment

La Amenaza De Irani (trans: The Iranian Threat or The Iranian Menace)

YouTube Video Part 1-4

A recent investigative report carried out by Univision (Television de Espanol) released this month has some pretty powerful footage showing an undercover operation that sent college students to propose cyber attacks on the U.S. to the Iranian ambassador in Mexico. Ambassador Mohammad Hassan Ghadiri was approached with  hidden cameras and talks were held to discuss the potential for state sponsored (by proxy of Hezbollah) attack on the White House, FBI, CIA, and nuclear power plant systems within the United States. The footage in the report clearly shows the ambassador talking about these topics and also asking about how to further this by making certain contacts.

Now, of course this whole story is sensational and of course the Ambassador could just as easily say that he was leading them on to get an in on those who would like to attack the US to use in other ways, not necessarily that he was actually plotting against the US. Though, the likelihood is that the Ambassador was playing along in hopes that perhaps the Mexican students could be used as a proxy against the US and thus keep his hands clean.. A win win for Iran and himself really. However, there is a bigger story here than just the plot as laid out by the college student to the ambassador and his interest as well as the interest of the Venezuelan officials also caught on camera accepting the plans from the Mexican students.

The bigger and ongoing story is that of the connections between Iran and various countries in South America and their use of cocaine trafficking to further their agenda’s world wide as well as focused on the US. The report goes on to cite others in the US and in the various governments in South America laying out the framework for a bigger picture on Hezbollah, narco-trafficking, and the potential for the semi porous border between the US and Mexico to be used to infiltrate Islamic terrorists (Hezbollah and others potentially) into the Unites States. The report cites as well that there are connections between mosques and training camps in Venezuela that also get support from the aforementioned narco-trafficking.

To me, it looks like what went on in the 80’s with Communism and terrorist groups in South America has now been supplanted with Iran and extremist Muslim thought and this is something we should be aware of. I am sure that the government and the agencies have been for some time, but this has not really been in the public eye until now, and even then, I am not seeing too much being made of this in the media as yet. The most the media has been talking about has been the fact that there was a plan for a cyber attack on the US infrastructure, but, like the media does each and every time, they seem to fail to grasp the smaller issues that are more important than an alleged plan for a “cyberwar”

Iran, the Nuclear Plot, and Reality (Hezbullah Cyber Army)

The actual “plans” given by the college students to Ghadiri were not shown or elaborated on in the Univision report, however, one can assume that they included the STUXNET type attacks that hit Natanz but also perhaps denial of service attacks as well on the FBI, CIA, and White House. Since there is nothing really to work with on this, I cannot say for sure, but, one need only look toward the “Hizbullah Cyber Army” that Iran recently unveiled to see where their ambitions lie after being spanked so well by Stuxnet and whoever carried it out. No doubt though, the Iranians would seek to welcome the likes of the Mexican hacker community to their effort as the Mexicans have had a track record with regard to hacking and digital scams in the past.

Once again though, I would like to see people have the realistic reporting that there was no real cyber plot, but instead that this was the entre into the Hezbollah by offering such a plan or plans… Let’s not let the media run with this cyberwar angle ok?

The plans that the college students passed to Ghadiri also included talk of EMP attacks as well as cyber attacks against infrastructure. The EMP attacks are of interest in that they could be carried out by missile launches. Launches that could come from sites that Iran and Venezuela have allegedly talked about having in place in country. So far as I am aware, the only real way that an EMP of worth, could be carried out by such as Iran would have to be a high altitude detonation of a nuclear device. Which means that Iran really probably does plan on having nuclear weapons as opposed to their claims that they only want to have nuclear power for the country.

Frankly though, I do not see that the plan and this report should just be seen as a cyberwar piece. This all begs much larger conventional questions about the moves that Iran has been making in South America and now Mexico.

Iran and South America

Hugo Chavez has been getting closer and closer with Iran for some time now. Venezuela and Iran have forged close ties and much of their work together has been over more than just domestic and financial issues. It seems from the Univision report, that also the two have been working together on Nuclear programs. Iran has been working with Venezuela on plants there and I am sure that Venezuela has likely been acting as a cutout for certain things that the Iranians would like to have (i.e. perhaps as a go between for parts etc, that Iran cannot get due to sanctions) So I am sure it is a beneficial relationship that Mahmoud and Hugo have, but there are other things under the crust that one has to take into account.

Proximity is one issue that I know has been spoken of before and it has to be discussed again. There has been talk in the past of Iran and Hugo’s desire to have a set of missile bases in Venezuela that could easily launch missiles at the US. With the Iranian technology that they have, they could in fact put in sites that, much like the Cuban affair back in the 60’s, cause great consternation for us all. I have heard in the past that there was talk of this between the two countries and heads of state, but, now it seems that perhaps we should be more wary that perhaps there are some sites or portables that Iran may have slipped to ol’ Hugo.

However, the other issues brought up by the report from Univision do take some precedence today. The proxy war of using the Narco gangs to train Islamist terrorists is not a new one by any means, but, seems to be bearing fruit now. For some time the terrorists and narco traffickers have been getting closer because their needs can be fulfilled by both working together. Much of this also is being backed up (allegedly) by the Univision reporters who now also claim to have hours of tape on Muslim jihadists training with the drug smugglers on tactics in training camps tucked away in South America.

Though, the real relationship to me, is that the drug gangs are being used as proxies for Iran’s and only for Iran’s benefit.. They simply are pawns in a bigger game of global Stratego that Iran wants to play. They are also all being played by Hugo Chavez, who gets the money, the power, and the control he desires all the while getting in on the ground floor on the war against the “Great Satan” as Iran calls the US.

Iran and Narco Trafficking (Hezbollah/Los Zetas/Mexico)

Another disconcerting event came yesterday as it was announced that a Lebanese drug smuggler was charged in the US for smuggling 85K kilos of cocaine into the states. Ayman Joumaa a.k.a “junior” was captured and is now being charged with this crime as well as being the money man for Los Zetas, using a Lebanese bank in Canada to launder about $850 million dollars. Joumaa’s connections though also connect him with Hezbollah and thus, we now have more connections between the likes of Hezbollah and Los Zetas.

If you will remember back a bit, you will likely think about the plot that was broken up recently where Iran (Hezbollah) had worked a deal with Los Zetas (allegedly) to bomb a Saudi ambassador while in NYC. Many people thought that the plot seemed a bit cooked up and perhaps overly dramatic, even perhaps some thought that it was disinformation, but, it seems that from numerous sources you can see a pattern emerging between the cartels, islamist terrorists, and the inspirations of Iran and Venezuela.

Further proof comes from the Antisec/LulzSec dump of the AZ DPS reports on the connections between the Islamic extremists and the Hezbollah network in Mexico. Clearly the government seems to be concerned. By using the Zetas, Hezbollah will have a far greater reach into this country through the trafficking routes, coyotes, and money that they are facilitating being made to launch campaigns here in the states… Someday.

Past as Prologue: The 80’s and Ron Reagan

In the end, this report shows quite a bit about how the Islamic jihad and Hezbollah have made inroads into South America. Inroads that could lead to some serious consequences with global terrorism as well as the goals of Iran as a whole where the US (a.k.a Shaitan) are concerned. It would seem to me that the 80’s are coming back and we will find ourselves once again sending wet work teams in country to work against such groups as ETA, FARK, and now Hezbollah in South America.

The report, which I suggest anyone who can speak Spanish see, covers much more than anything you might read in the English press. They talk to several US officials in DEA/CIA etc and one of them actually calls the acceptance of the “cyber attack plan” an act of war

*shudder*

However, you will get to see that Univision did their homework and connect the dots pretty well between the governments of Columbia, Venezuela, and Iran in complicity on a plan like the one offered. So, it could be possible in the future to see such attempts as plausible. We definitely have to keep an eye on the region and the machinations of the likes of Chavez and Mahmoud.

However, what I don’t want to see is another Iran-Contra Affair come up. Guess Ollie might have another job ahead of him…

So when do we get the second “New Wave” movement from Britain then?

K.

Written by Krypt3ia

2011/12/14 at 17:39

Paradigm Shifts: Global Salafi Jihad and “The Group of Guys”

with one comment

Global Salafi Jihad

The idea of Global Salafi Jihad has been something that I have been thinking about since the demise of OBL and now Anwar and his cohorts at Inspire (Malahem) and it seems reasonable to me that this is the natural next step in the jihad movement. The term “Global Salafi Jihad” denotes that the jihad has switched from the loosely based Salafist ideals put forth by AQ and is shifting back to the more rigid beliefs of the Salafist.

The exhortations of AQ online and other, have been curtailed since the deaths of OBL and Alawki with the media wings only putting out the usual rhetoric that it has been unable to substantiate with actions. It would seem that in the case of the Western jihadi’s that they hoped to induce into jihad, the AQ team has failed to really produce the desired effect and have waves of Western jihadi’s who activate and wreak havoc here and abroad. In fact, there have been 176 cases of self radicalized jihadi’s in the US and only 2 of them actually went on to physical attack mode with firearms.

So, it has been a lackluster performance and AQ knows this. It is my thought that the next turn will be more toward radicalizing actual Muslims with the tenets of Salafi belief. Whether or not this will take the shape of online exhortations or the more localized indoctrination at mosques is the real question. Again though, shifting back to this position I feel, is the only way to go about getting their desired goal of creating zealots who are willing to become shahid for their cause. It is finally becoming clear to them that the Western kids are just that, Western, and not really inclined to doing much other than talking about jihad as living out those fantasies online, much as they do with video games.

With the true believers though, the ones who have been trained in madrassa’s by wrote with Salafist beliefs, those are the core that they seek to manipulate and use to their own ends. This means that the pivot I believe, will be more of a focus back to the core Salafi ideology while manipulating the recruits with propaganda on how the kafir have invaded the lands (the usual line)

Net/net this means a kind of indoctrinal brainwashing… One that really will pivot back to the lands of the Ummah as the training grounds. This however will not be the true ideal of “Global Salafi Jihad” but it will be the only way I think that they can see toward keeping their movement relevant and alive.

The Group of Guys Theory and Jihad

The other aspect of this line of thought is that the theories of Dr. Marc Sageman will come to play and there will be “groups of guys” who will coalesce together in places to eventually take up jihad and Salafi beliefs. Dr. Sageman’s premise is that for the most part, the jihadi’s that have come about and actually carried out attacks were not trained in madrassa’s from childhood, but instead tended to be 2nd generation Muslims living in countries that are not predominantly Muslim. In fact, many of these guys were not radical at all until they began to feel a certain discontent with where they were in life and sought to learn about their heritage. There seemed to be something missing and when they started looking, they came across the AQ doctrine and gravitated toward it for a few reasons.

  • Romanticism
  • Fraternity within their group
  • Adventure

Much of the same ideas play out in the online jihad as well, but seem to not get the real life spark that is required for the actors to really activate and play their part in reality as opposed to their idealized and fantasy life that they can easily sublimate their desires with online without having the danger angle. In the cases that Dr. Sageman looked into, these players got together and as a cell, in person, worked out the details and egged each other on to actually doing something in real life.

And this is a key difference today.

Going back to the online jihad, we see this egging on and inspiring speech within the bulletin boards, but the reality is that each and every one of these players is alone in a room somewhere typing on a keyboard. Once disengaged from the internet, they do not have the physical presence and the motivation to actuate.

Post UBL, Anwar Alawki, & Inspire Magazine

Since the death of Anwar Alawki and his cohorts, Inspire magazine has been off of the digital shelf. This magazine was the closest that the AQ set had gotten to being hip and cool enough to garner attention from the Western kids. Now that it is gone, the one conduit to perhaps creating more lone wolves went with it. However, even this magazine had issues with trying to get the masses to heel to and do their bidding. This is something that they also lamented a bit in the propaganda and planning materials and I have written about in the past.

Now that this is gone, and as far as I know there are no players to fill the void, this has dealt a real blow to the online jihad and once again tips it back to the old model of Salafi jihad taking over where the Mtv AQ set has left off. This is problematic for AQ as the Salafi mindset is more than certainly not one that the Western mind and the kids here today really get, so, I am sensing an overall failure to inspire the kids with it sans something like Inspire Magazine. The question then becomes is there anyone to step up here? Perhaps Gadahn, but, he is really not that inspired himself nor inspiring for that matter.

The right word for Adam is pedantic I think.. He and Ayman are much the same in reality… Uninspiring old men yelling at the world to get off their lawn.

The Failures of Social Networking in Jihad

The use of Net 2.0 and Social Media however has been an important feature to the online jihad. Today there are numerous sites out there with Jihadi content and themes. These sites as I mentioned above, have only nominally created any kind of serious jihadi’s though. The problem with these sites though from my perspective is that C&C for those who would self activate or those “groups of guys” out there who create their own cell autonomously, can get direction and support from these sites.

I would say that 95% of the traffic on these sites are just kids playing “Jihad” online but there is a very real aspect of command and control here that should be recognized. Inspiration as well is another key factor to look at too as these sites can attract those seeking excitement and direction. Those that want to get indoctrinated can then easily get the materials and the chat to move further toward their evolution of becoming the next wanna be shahidi making a crude device in their basement or chatting with others about aspirations of shooting up a mall.

Fortunately, the use of these sites has been a boon to the likes of the FBI as they are able to obtain attribution on their users as well as insert players into the game to lead them into traps and roll them and their aspirational plans up with stings. However, as I pointed out earlier, it seems that nothing can replace the actual proximity of individuals to each other in real life to get them to actuate their plans beyond just talk.

This is a key factor and why I now feel that the online jihad is a failure and will continue to be so. You can network all you want, but human nature plays a key role here. It’s easy to just sign off, create a new ID and be anonymous online as people jeer at you. In real life, that social embarrassment and pressures involved in real life social interactions are the main reasons that others have re-enforced each other to acts of jihad.

The Network As Battle Space for Jihad

The paradigm change though I fear has been fomenting with the likes of Anonymous and their online movement. If the jihadi’s actually acquire online skills in the hacking sphere as well as figure out how to inspire and energize the more savvy believers online, then we have more problems. Recent events with regard to ICS and SCADA system vulnerabilities has shown that there is a potential for online mischief that AQ could leverage. These types of attacks would not be world ending and nothing close at all to what happened on 9/11, but instead would further the tenets that OBL laid out with regard to a “Death of a Thousand Cuts” type of warfare against the US.

It is my belief that this is potentially the new battlefield that AQ could leverage where the Western kids who gravitate toward jihad would be willing to take up digital arms. This paradigm would work for both the AQ core and the wannabe’s out there online who are unwilling to blow themselves up for Allah. With the idea that the internet offers anonymous ways to attack the powers that be (ala Anonymous) then I believe that AQ has a greater chance of inspiring followers to action and thus to potential real world acts of digital terrorism.

Acts that would not cause mass casualties on the whole, but would cause the government here to spend much more money and time on the “digital war on terror” and once again put fear into the populace who will now worry that their water will be cut off, or polluted with feces. Only these types of attacks, with real world consequences will be at all effective in furthering the jihad. Defacement of pages etc, is just skiddie stuff that will serve no greater purpose. Just one hack though on a power plant or more likely a water facility in podunk illinois will set the media and the chicken littles into a tizzy though, and that will be a media win for the jihad.

Once this happens and is claimed by the likes of online jiahdi’s then we will have a problem because this will give them the air that they desire and AQ will leverage that.

Running on Empty, AQ’s Message is Losing Steam

Generally though, I am feeling of late that the AQ message has been diluted by the deaths of key players and the squeeze we have placed upon the organization. The marketing of AQ to the masses online has been damaged with the loss of Alawki and his boys (inspire) even though they were still grappling with a working formula for their brand of jihad online. Now that the old man (Ayman) is in charge, I expect that the dictum will fall back to the Salafi system of thought, and that is a tough one for the Western kids to get in line with.

Unless AQ gets hip or learns that the digital space is up for grabs and acts on it, I frankly see the movement as going back to its roots. There will be an amount of time where AQ will have to inculcate more jihadi’s out of the next generation of kids in madrassa’s and this will take time. More and more the movement will have to be relegated to the steps of the tribal lands where it will fester.. Unless Pakistan gets in line and dismantles the ISI support for them and cleans out Waziristan.

Not too likely at present.

So, the core will go on. They will continue to try and get their message out, but it will go to the net 2.0 generation who really aren’t so much into blowing themselves up nor are they that devout.

Looking Forward Into The Jihad

So where does that leave us? I think that overall, we are going to see another shift in AQ and Jihad in general. The online jihad experiment has failed and I think the smarter ones in AQ know this. They will go on to re-tool and re-group while trying to avoid being hit by a hellfire launched from a predator. The only problem that I can foresee is the idea that they will learn something from the Anonymous movement and work more within the digital sphere.

Not so much recruitment… Until they have a success with a digital attack… Then the jihadi skiddies will come out of the woodwork.

Until then, we will have some more “get off my lawn” dispatches from Ayman.. And that’s about it.

K.

Written by Krypt3ia

2011/12/07 at 12:11

Handwringing, Moralizing, Anonymous, Paedophilia, and Digital Vigilantism

with 2 comments

Preamble:

I recently posted about the Hidden Wiki and its prevalence in hosting paedophilia content. This post may or may not have left an impression on some of the  anonymous collective to take action and perhaps sow good will for their group by hacking into the “Lolita City” site within the DarkNet and releasing thousands of users email addresses and personal data (such as it is on such a site) for the Internet to feast upon. The Anon’s are doing this for their own reasons, but the upshot of it all is that they are causing the paedophiles pain in making it hard for them to get their content as well as potentially outing them online as purveyors and consumers of this wretched content.

Since my post applauding them and giving them some direction as to how to become more of an intelligence gathering apparatus for the LEO community, some in the infosec world have come forward and voiced concerns about this line of thought. All of the talk about the morals, legalities, and philosophical aspects of Anonymous undertaking such actions has gotten me thinking quite a bit.It all raises some interesting questions and philosophical challenges.

Anonymous and Digital Vigilantism:

What I think that most people with reservations about Anonymous taking up such operations as the DarkNet op have are that these people are for the most part kids without training and without any kind of oversight. Oversight in that they could get too big for their britches (one could say that many already have) and think that they are invulnerable to attack never mind the respective laws of our society. That said, it would seem that Anonymous, Antisec, and LulzSec have already decided to take up the mantle of vigilante’s already. However, the targets have been, for the most part, varied parties that could be seen as hapless victims or as malefactors, it all depends on the point of view really.

In the case of Scientology, well, aside from religious freedoms (trust me, they are not a religion) generally the Scientologists have been pretty much seen as getting what they deserved. Today though, years later, Anonymous has begun to take on the governments of the world as well as the likes of Paedophiles online. Once again, generally, people see what they want to concerning whether governments are good or bad. Paedophiles though, pretty much are outlawed universally. So, when Anonymous decided to attack, I could not fault them one bit. However, I could perhaps fault their methods.. Only in that they were bound to only let the paedo’s get away in the end.

I have said it before and I will say it again.. “One man’s freedom fighter is another man’s terrorist” It all depends upon your perspective really. While I do not think all of their targets have been chosen wisely, I cannot fault the true believers out th4ere that they are doing something out of conscience and good. This is not to say that a certain element of the movement is in fact just in it for the lulz (i.e. Antisec and LulzSec) There certainly are factions at play who just want to see the world burn as well as garner themselves digital street cred.

Overall though, the term Vigilante denotes a person or persons (committee’s) who dole out justice summarily when the law is seen as ineffective by them. In this case, the Anon’s have taken up the mantle of vigilante in order to rid the DarkNet of paedophile content because law enforcement seems unable to effectively. Now this is also the crux of the issue in another way, as the police generally are not allowed to hack into sites and dump the dirt so to speak.. The Anon’s are unhindered here. Just as they have felt the same way about other operations where they have denied service to corporations (likening it to a digital sit in) they have crossed the line of the law, but, their methods and motivations are free of it… Until they get caught that is.

The essence of the thing is this.. “Don’t do the crime unless you can do the time” If they believe in it strongly and act upon it, then they must accept the risks of being caught and incarcerated. So far, much of the motivation I have seen by a good deal of anon’s has been motivated by convictions and beliefs. All others have been for Lulz, which is what made LulzSec even more of a problem as they just did not care. The current Antisec movement that LulzSec begat also seems to lack the conviction of their beliefs and seems more driven by ego than anything else by their writings.

And this is the difference between the chaotic Joker like actors and the Batman types.

Anonymous vs. PLA, vs. Patriot Hackers:

Pulling back a bit now, I would like to look at the macroscopic view of Vigilante behaviour versus nation state sanctioned or perhaps, a better word for it would be “condoned” actions and groups. I have written in the past about groups like the Honker Union in China as well as the colourful character known as th3j35t3r. both of these entities have had an effect on the collective consciousness concerning digital vigilante justice and I think it important that they form the contextual base for Anonymous’ actions in Operation DarkNet.

First off, ALL of these entities have been doing what they do (Jester DDOS of Jihadi sites and Anonymous, Honker, hacking against the enemies of China, and Anonymous, attacking sceintology, the gov, and paedo’s) with a mind toward doing “good” In the case of Jester, he thinks DDoS-ing jihadi sites out of a patriotic bent that will stop them from communicating. In the case of the Honker Union, they are patriots to their homeland and attack others who would do their country slight or harm. Anonymous though, started out of /b/ … Which really is a band of miscreants for the most part. However, a core group decided to take on the mantle of doing right somewhere down the line and we find swaths of them today supporting Occupy Wall Street and other political agenda’s.

The basic idea here is that they are all motivated by a belief in some greater good.. Mostly. I am sure there are on individual levels, many more motives (ego, greed, ego… the list goes on) but I will just put it to a gross generality that these people want to effect some kind of change.

At least I hope that this is the case…

What is really different though is that in the case of Jester and the Honker Union, they both are condoned if not outright supported efforts by the countries they reside in. In the case of the PLA and the Honker, there is clear connection between the state and their actions. In the case of Jester, there are allegations (made by him) that his is state sponsored.. But, I think more to the point he is condoned. Either way, the Anon’s may indeed be getting some support (moral or other) from state sponsors and not even know it. In the case of Anon, they could just become the tool of another nation state and not know any better.

Which is pretty scary.

All of these entities though, have had a greater or less effect upon the internet these last few years through their online shenanigans via hacking. The secret is this, they are just the first. There will be others to be sure.. The genie is out of the bottle on this one.

Anonymous vs. LulzSec & Antisec:

Conversely, we have LulzSec and Antisec, who both wreaked havoc on the corporations and the police of the world lately. Their reasons for doing so pretty much have been stated as “because we are bored” At the core though, there seems to be a couple of motives here from postings online. One is the afore mentioned Lulz, the other, seems to be a kind of abject hatred of authority and police. In recent hacks on the police though, there seems to be a bent toward supporting the Occupy movement as the police have had some transgressions against them. So.. They hacked the police and dumped all their data to spite them. Frankly, I see no value to this and once again, even if motivated by supporting the movement, it has no real effect on the police other than to make them more angry and reactive against the protesters.

Basically, I still see Antisec as the Penguin & Joker while Lulz as The Riddler though while Anonymous has become more like The Batman in certain quarters

Anonymous on the other hand has had its lulz, but seems to be growing up a bit and maturing. The social conscience of anon has begun to take shape and within it (movement wise) may well be the lasting component that will be its Raison d’être in the end. Time will tell though, and I hope that this is the case more so than just a bunch of malcontent’s seeking attention and excitement.

The Hand Wringing by The Infosec Community At Large:

Alright, back to the hand wringing and the moralizing post the Op DarkNet…

Certain people in the community wrote that while the empathised with what Anon was trying to do with Op DarkNet, they felt that these people were not the folks they would have doing this to start. Most of this comes from the fact that many of the players are not trained investigators and not LEO’s. I can agree with this from the perspective of legal proceedings later on. If Anonymous hacks a server and then dumps data, it could have an effect on the court case from a few perspectives;

  1. Contamination: The defense could claim that the server was hacked and the data planted
  2. The data could have indeed been tampered with by anon’s
  3. The backend of the server/dbase could in fact be shared and all those who share could be swept up in the legalities/implications
  4. The hack is enough to raise reasonable doubt

So, yes, it could be counter productive to have a vigilante force actually hack a system and report it to law enforcement. However, I would advocate that in the case of Anonymous and the paedo’s at the least, they not just hack and dump data, but instead give that data to law enforcement to start an investigation. For that matter, if Anonymous just located the servers and authenticated (sans hacking) that the content was there, they could in fact just tip off the police.

And this is at least part of what they did with Lolita City in the DarkNet. They tried to locate the server location and this alone could be a great boon for the authorities.

On the other hand, there are moral/ethical objections on the parts of some who think that perhaps letting Anonymous do this type of thing, or even encourage it is setting a bad precedent. To them, Vigilante’s are outside the scope of good behaviour and the law.. They cannot be tolerated. Personally, I think that that is a sanctimonious load of crap, but, that’s just me.

Sometimes when the system cannot function other means need to be taken to effect change. In this case, within a network that is anonymized and the authorities have had little success in catching anyone trading in paedophilia, I see no harm in Anonymous outing them.. Though, I would rather they just passed the intelligence to the LEO’s instead. It is my opinion, that if done correctly, intelligence gathering of this type with a tip off to the police has a better chance at actual arrests and convictions than to just let them go on about their peddling of child pornography.

Just one man’s opinion…

Philosophical and Ethical Stands On Being The Digital Batman:

Utilitarianism:

This is the philosophical and ethical standpoint I take in being the digital Batman. Strict utilitarianism dictates that maximizing overall good is key. In this case and perhaps others, the taking down of the paedophile’s content and capturing their login credentials is enough “good” to allow for the action to be seen as acceptable. This is really the basis of The Batman’s ethics in the comics and ideally, for me on this particular incident with Anonymous.

Now, this does not mean I agree with all of their operations as well as certainly not agreeing with the bulk of the actions carried out by the Antisec movement. However, the perspective is the key I suppose. It’s a slippery slope I admit, but, in this case of OpDarkNet, I agree with the greater good being served in this case.

Deontology:

Here we have the Deontologists like Sam Bowne. Deontology is a nice thing to cling to the ethical rules of a governing system of laws. However, it seems to me, and others here, that this system of laws is not working against these offenders in the hidden wiki. Sure, you could say that the LEO’s have ongoing investigations, but, just how many busts have there been as opposed to the massive amount of content located on the hidden wiki and within i2p, Freenet, and TOR?

So far, I have not seen law enforcement really winning this battle.

Oh well, the Deontologists have their point of view and others have theirs. The key here is that Sammy and others like Packetknife are entitled to their point of view. They are right for themselves, and that is the issue with all philosophy and ethics arguments. Like I said, it’s all about your world view. However, I do not ascribe to a moral absolute unlike someone like Sammy.

There are no right answers. There is only what you are willing to accept for yourself.

Legal Aspects of Digital Vigilantism:

Now, on to the legal aspects here.

18 U.S.C. § 2252 : US Code – Section 2252: Certain activities relating to material involving the sexual exploitation of minors 

The US code on activities related to sexual exploitation of minors alludes to the fact that one has to “knowingly” access such content and to have more than 3 pieces of “content” to be considered guilty of child exploitation/pornography. This of course also alludes to the trafficking thereof etc etc in legalese. Where this is important for the digital Batman is where there are caveats.

(c) Affirmative Defense. - It shall be an affirmative defense to
a charge of violating paragraph (4) of subsection (a) that the
defendant -
(1) possessed less than three matters containing any visual
depiction proscribed by that paragraph; and
(2) promptly and in good faith, and without retaining or
allowing any person, other than a law enforcement agency, to
access any visual depiction or copy thereof -
(A) took reasonable steps to destroy each such visual
depiction; or
(B) reported the matter to a law enforcement agency and
afforded that agency access to each such visual depiction.

So, as I said before, if you are trying to take one of these sites down, then do turn off your browser’s images capabilities.. Hell, why not just use Lynx for that matter so as to negate the issue. However, there is a key point here that you all should take into account. It’s the bit about making the LEO’s aware of the content. This is what I was trying to get at before. If Anonymous or anyone is going to go after this content, then it would be best if you tipped off the LEO’s to the site and the content. Now, the above statement implies that if you make the tip, then you are going to let the police have your system to look at… And we all know Anonymous is not going to do that. So, just be judicious about your tip off’s to the authorities. Do your homework and dump the data to them directly, not on Pastebin.

Of course, then there are the issues of hacking a system in the first place… Well, in the DarkNet, the only thing as I see it that is key would be not leaving a trace that you were there. You know, kinda like the whole hiking ethos of only leaving footprints.. But in this case I would suggest not even a footprint should be left behind. It seems to me, that if you hack a paedo site, even with good intentions, you could get the double whammy from the authorities of hacking as well as accessing child porn…

And that could really be problematic.

So, in the end, I circle back to recommending that you become intelligence gatherers and locate the sources to report. If you locate them, and you get some good details for the authorities without having to SQLi them, all the better. You will be doing a good thing AND you will be satisfying the Deontologists in the room.

Keep your wits about you kids.

K.