Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘INTELOPS’ Category

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34

ASSESSMENT: Edward Snowden KGB Asset

with 4 comments

snowmanpootykgb

THE SNOWDEN AFFAIR:

Since the revelations began and the man without a country odyssey started all of our lives have changed at a fundamental level regarding our digital and private lives. The now million plus document trove is being parsed out by Glen Greenwald and others for the public to get a look into the inner workings of the state surveillance apparatus much to the consternation of the IC as well as the government and the dismay of the public. However you look upon Mr. Snowden and his choice you have to admit that the information does lend an insight into the great potential for abuse of the apparatus that the NSA has put together no matter what they may tell you they are doing or not doing to protect us. You see the point is no matter what alleged safeguards and altruism may lie within the apparatus and it’s employees it’s still ripe for abuse that will never see the light of day because it’s all classified and codified by the government. This is the point of the exercise as I see it from Mr. Snowden’s point of view and the aegis behind his doing what he did. Of course from day one darker minds would make assertions that there were darker geopolitical machinations at play and this was all just a dastardly plan to destroy us as a country. Of course as the passion play played out it was first China, the go to country for all our woe’s of late (APT etc) but as time wore on and Snowden found a perch in Russia, it’s now “clear” to some in the government that the plot was in fact Russian all along.

KGB ASSET:

Mike Rogers has been the bell ringer on the idea that Snowden from the get go was in fact a handled and groomed asset by a foreign power. His most recent bellowing without any real evidence is that Snowden was in fact an asset for Russia from the start and furthermore that all of this was done to damage the US and seek primacy once again on the international stage. Of course as I mentioned already Mike cannot offer any evidence and he alludes to “secrecy” of the data but in reality until you have proof that you can emphatically state and present the people it’s all just wild speculation and a form of conspiracy or propaganda in and of itself. While it is possible that Snowden was from the start an asset of the KGB  FSB, the evidence thus far for motive, methods, and follow through are somewhat thin and I cannot go on the record as thinking he was handled from the start by Russia or any other nation state. The fact that Snowden ended up in Russia at Sheremetyevo may in fact be because of the machinations of Assange and Wikileaks brokering the deal to get him there and then to get him allowed into the country not as a plan all along. There is more evidence to say that this is in fact the case then there is of any KGB FSB actions.

OCCAM’S RAZOR:

Using the paradigm of “Occam’s Razor” here let’s run through the possibilities on whether or not the claims being made by Mike Rogers and others out there that this was a carefully planned operation that cultivated Ed Snowden to become the largest leaker in history.

  • Ed Snowden is a naive individual who became through a sequence of events, an administrator within the IC networks and began to see things he thought were illegal and immoral
  • He used his knowledge of hacking and technologies to accumulate data through his own administrative access and social engineering
  • Once he saw the data he decided to leak all that he could and after seeing what happened to Manning made a plan to go to a country that in all the spy novels is easy to infiltrate and ex-filtrate out of
  • The NSA itself had poor OPSEC and threats from insiders were poorly covered thus making this possible (proven to be the case)
  • The NSA could not even keep track of internal access and exploitation (proven to be the case)
  • He contacted the press and was turned down by some until he met Greenwald and Poitras who then planned with him how to release the data and to firewall Snowden off
  • While in HK it became clear he could not stay there once the NSA/USA/UKUSA and other apparatus began working in the background to extradite him
  • Poitras, Greenwald, and then Wikileaks ex-filtrated Snowden out of HK and to Russia where a brokered interim solution of the airport no mans zone was at least possible
  • Snowden is a prize for the KGB FSB after the fact from not only an intelligence perspective but also a political one that thumbs its nose at the US (a win win for Putin)

 

  •  Edward Snowden was a carefully orchestrated long term asset by the KGB FSB trained by them to infiltrate the NSA and then use his domain admin/root access to steal them blind, exploiting their logical and technical vulnerabilities who they then ex-filtrated to HK and to Russia as a smoke screen for their own operational cover
    • Snowden was handled by KGB FSB for years while coming up the ranks as an UN-credentialed cleared individual clearly taking advantage of the US’ lax clearance and oversight process post 9/11
    • Snowden was in contact with Russia from the start and is a consummate operator perhaps even a cleverly created cutout sleeper agent
    • Once gathering all the data Snowden then passed it to Russia for them to digest and then leak to the world to cover their own operations and shame the US
    • Snowden is now a hero of the state in Russia and will get a hero’s treatment with access to all that Russia can offer in the post Soviet Oligarchy (inclusive Anna Chapman visits)

Hmmm is it just me or does the razor only really cut one way?

ANALYSIS:

My take on the whole affair is that Snowden was not a paid/cultivated/handled asset of the KGB FSB nor do I think that he was aided in any way by Russia in carrying out this leak/exploit. What I do think is that he is naive but also that what he was seeing, what we are all now seeing today in the news made him feel that the accumulation of power in a central secret body was anathema to freedom and the American ethos. As we have seen in the news there have been many things that the government has allowed, even shall we say promulgated, that are clearly violations of the US Constitution no matter the inveigling that might occur by those in power as to it’s legality. So I for one can see why someone like Snowden might do what they did outside of their own propensities for spy novels and a sense of right and wrong.

The realities are that no matter the attestations by those running the programs and their need to use them, there is always a chance of their abuse and subsequent burial of the facts through classifications and National Security letters as we have seen these last years. Were egregious abuses happening and are they still today? I am sure there are some, after all this is nothing new and all you need do to confirm that is Google Quis custodiet ipsos custodes? or look just to recent history with the Plame Affair to see how abuses can and have happened. So is it really outside the pale for someone with a conscience and perhaps an overactive imagination to think that great wrongs are being committed in all our names? I think that while there may have been no abuses “may” I also think that the capacity for abuse and the infrastructure to hide them is easily seen within the current architecture of the IC apparatus of the NSA and their programs. After all, if you want to ask about the idea that if you have nothing to hide you have nothing to fear, I ask you to tell me just exactly how you feel every time you go through a TSA checkpoint at the airport today.

Finally, I would also like to touch on the idea that the governments own hubris and now embarrassment is firing the boilers on this whole blame game that Snowden is in fact a handled asset of the Russians. I think that the NSA/USGOV and IC community feel the sting of their inadequacies as they have been laid bare for all to see. You see, Snowden did not carry out some 3l33t hacking here to gather the data. He used common techniques and vulnerabilities within the NSA and other government IC bodies to steal data and put them all on a USB stick and then walk out with them. It’s a simple trick and the top of that list is actually just socially engineering people for their passwords within the confines of the most secretive and secret IC shops in the world. Now that has to sting a bit wouldn’t you agree? So there is shame all around here on the part of the government and it puts them all in a weak position tactically. The reactions of all those at play seems to be more along the lines of dialogue from a playground spat rather than state or spycraft and it’s sad really. As the immortal words of GW Bush can attest;

“There’s an old saying in Tennessee – I know it’s in Texas, probably in Tennessee – that says, fool me once, shame on – shame on you. Fool me – you can’t get fooled again.”

To me, it seems that Snowden just did what he did because of a myriad reasons that also include a certain amount of self aggrandizement. However, I can point to things in our own history and to popular media that may explain why someone might do something like this on the grounds that they think it’s illegal, immoral, and against the tenets of the USA. While POTUS is right about how important these types of programs can be in the war on terror and the every day intelligence gathering that every country needs to survive, it should also be possible to have some level of oversight to disallow for abuses of power to happen and happen with great frequency due to over classification. These are fundamental changes that should occur but the reality is that the very nature of the work being done and the culture within it’s halls will stoip any real progress being made. In the end nothing will change and the NSA will continue to collect all the data it can like a giant hoover-matic for later sorting and use.

Having grown up in the era of Nixon though, and other revelations like Iran Contra, I for one not only know that these things will continue to happen but that they have in the past and should be in our collective consciousness. Unfortunately many do not remember and the only entree into such ideas may in fact be cinema… I leave you with this scene from “Three Day’s Of The Condor”

Not everything in cinema is just fantasy…

“scr hrw lgihr kzpzz cwl nci pjwt”

Written by Krypt3ia

2014/01/20 at 14:25

ASSESSMENT: Virtual World Recruitment and Operations of Jihadi’s In WOW

with one comment

Screenshot from 2014-01-16 09:56:09

Virtual Worlds vs. The Internet or Darknet:

A recent post on Wired had a bold claim in the title; “U.S. Intel: Osama Bin Laden Avatar Could Recruit Terrorists Online for Centuries” that made me snort then giggle then facepalm. Once again we see that the government has been watching too many Hollywood movies and listening to too many cyber snake oil salesman. This current regurgitation stems from a newly declassified report that was requested by the IC on virtual worlds and terrorism (aka jihad) and makes some far fetched assertions about technologies that just aren’t there yet. Presently though we do have the internet and it can be seen as a virtual world in and of itself, and that is not even covering the idea of darknets. The report though really covers the idea that virtual worlds, i.e. game universes are the place where jihad will bloom as well as many sundry other types of illicit activities. While this idea is a common plot for B movies it has not really been the reality within the virtual reality of games like WOW (World of Warcraft) In fact a recent dump from “Snowman” (Ed Snowden) showed how the NSA had teams of individuals trawling WOW and other games seeking terrorists to little or no avail. Most took this as yet another invasion into the privacy we all thought we had, but some of us just had to laugh because we were in fact also tasked with looking for the AQ set in the same games as well.

So while the government think tankers and scientists were creating this report others were in fact looking not only in the game environments for secret comm’s but also within the internet itself. There are many boards online since 2001 that have sprung up and gone away as I have reported on over the years. The internet is the virtual world today and will likely be it in the future, we will just interface with it a little more organically with things like Google Glass or some other HUD devices. So yes POTUS and the IC, the terrorists are in the virtual world of the internet, just not so much are they plotting the end of the West in WOW or Second Life. In fact, to date they have yet to really make inroads into the Darknet as well so really, they aren’t hiding all that much with super secret sites, after all, they have to advertise to get recruits, this is why they came up with Al-Malahem in the first place.

Jihad Online:

To date the Jihadi’s have been on the learning curve as to how to leverage the internet. Much of their message gets lost outside of the insular community-scape of their lives as Muslims in the would be caliphate. Many sites are out there for the jihadi’s to talk to each other and they are mostly not very secret about them. Sure there are sites that are a little more stealth but in general the web is being used on one level to radicalize and proselytize. On the other end of the spectrum the C&C for Jihad is as easy as setting up an email and using encryption to send instructions back and forth. In fact, they now have chat rooms and programs for some point to point chat as well so really they are learning but I would hardly say that they are as cyber aware or capable as say an Anonymous cell today. I have written a lot over the past 13 years about this topic and investigated many sites and while it is a threat as a means of communicating and having a command and control base, I have also seen great gaff’s in OPSEC as well that lead right back to these notional jihadi’s (like the IP address in the tutorial video on how to hack of their own system) Sure, the jihad is online but it is not as Gibsonian as the paper linked above would make it out to be nor do I think it will be so in the near future.

Virtual Sociology and Psychology:

The paper linked above however is correct in some of its assessments on the future of the internet and technology to allow us to interface with it. We are creating more and more ways to interface with the data we love to share and as time goes on we will be more awash in a sea of it every waking moment of the day. This also leads to social and psychological developments on how we act as societies and people as well. I have written about this in the past as well and while this stuff is interesting the contentions in the paper are starting to come to pass. There is a section on criminality that we are seeing actually happen in the darknet with places like Silk Road, and all the criminality that seems to be flourishing in the darknet. This is happening now because TOR and the darknet implies that you can actually transact there in secrecy and keep your privacy, this leads to a dis-inhibition effect that leaves the user thinking they are invincible… Or more to the point invisible. This of course is now being shown not to be completely true with the arrest of The Dread Pirate Roberts (v1) and the take-down of the Silk Road (v1) site in the darknet. All of this too has to be taken into account when trying to kluge the idea that the internet or more to the point WOW is going to be the ground zero for terrorism. As the jihadi’s have seen with their efforts online it is hard to actually recruit and radicalize people simply through slick magazines and slogans, especially when you are asking a Westerner to strap explosives on and kill themselves in the name of jihad. The psychology of interaction when not in person is a problematic one so yes, the idea of a virtual you interacting in a metaverse while entertaining, is likely not going to actuate offline behaviour and actions.

What The Government Sees As Future State:

Once again the government and the politicians are getting spoon fed notions that there is a great dystopia about to take place where William Gibson novels are the reality. There’s a terrorist in every chat room and a dark cyber plot in each packet passed over the net. While once again this makes a great B movie, I have to once more say poppycock! It always amazes me what the government and military types will swallow from some think tanker’s delusion as reality and a clear and present danger. Since we have had the revelations that the NSA did in fact have people trawling in WOW, and I myself was tasked at one point to look into it as well we can extrapolate that people in power saw this and other like reports as the gospel. It is just an assumption here as well that as the net convergence continues and we begin using wearable computers with HUD interfaces that the government will be seeing more terrorists on every street corner as they are trying to type with their haptic gloves and it’s sad really.

ASSESSMENT of Jihadist Recruitment and Operations Online & In Virtual Worlds 2001-2014:

Screenshot from 2014-01-16 09:21:00

Screenshot from 2014-01-16 09:37:23

The assessment is this, as you see above, there was no real evidence of these games or virtual worlds being used for terrorism. Sure there is criminality going on but hey that happens everywhere and with every technological solution offered. Will there be terrorism on the net in the future? Sure. Are people plotting and planning things online now? Yes. Is it the Gibsonian novel that they seem to be making it out to be in the report linked above? Not so much. As for this notion that the avatar of Bin Laden will be exhorting and recruiting terrorists for a hundred years online and in the game verse? No. While there have been a couple games put out by jihadi’s in the past this has not proved to be something that worked for the masses and brought more to jihad. This notion of the Bin Laden avatar is just ridiculous and quite the one dimensional approach to thinking about the online world and the nature of the jihad.

K.

Written by Krypt3ia

2014/01/16 at 16:15

Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach

with one comment

cyberwarprimer

IJPFRH CPAGP EIIL!

CYBER CYBER CYBER!

CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)

The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.

I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.

As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”

I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?

IW (INFORMATION WARFARE) RUSSIA

The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.

In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.

OUR CHINESE OVERLORDS

Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.

The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.

ANONYMOUS/SEA/LULZSEC

Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?

Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?

THE GRID

OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.

It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.

WHAT’S MISSING?

All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?

I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.

OVERALL TAKE

Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.

We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..

Put it in the syllabus!

K.

JIHADI’S HOLD LEGION OF DOOM CON CALL!! WOULD YOU LIKE TO KNOW MORE?

with one comment

fednet

AZIJ XXRZ HMCKIDACVA GZ UZZW!

The Legion of DOOM!

Yesterday the camel’s back finally snapped in my head after reading a post on Harper’s Magazine entitled “Anatomy of an Al Qaeda Conference Call”  which the author called into question the whole story that was put out by the Washington Times and their “anonymous sources”  The paper claimed that Ayman Zawahiri and all the heads of the various jihadi splinter groups got onto their polycom phones and their SIP connections to have a “concall” as we say in business today.

You all may remember the heady headlines in the last couple weeks where the mass media picked up on this story and began scribbling away on how the so called jihadi “Legion of Doom” dialed in for a sooper sekret meeting to plan the end of our Western Civilization. Now, I am sure some of you out there have seen my screeds (140 chars at a time more so recently) on just how we get played too often by the media and the government on some things but this, this is just epic stupid here. If you or anyone you know believed any of this claptrap coming from the media please seek psychiatric attention post haste.

Let me tell you here and now and agreeing with the article cited above, that the “LOD” did not have a skype or asterisk call to plan our downfall. At the most they likely had a meeting of the minds in a chat room somewhere within the jihadist boards out there or had a server set up somewhere for them all to log into an encrypted chat. I lean towards the former and not the latter as they usually lack subtlety online. Though, given the revelations from Mssr “Snowman” I can see how the prudent Ayman would want this to be on it’s own server somewhere and for people to authenticate locally and encrypted on a system that does not keep logs… But I digress…

Suffice to say that a group of leaders and minions thereof got together for a chat on <REDACTED> and that they talked about plans and ideas (from hereon I am going to coin the term ideating) for the destruction of the West and the raising of a new global caliphate. Does that sound familiar to you all? Gee, I can’t seem to put my finger on where I have heard that one before. … So yeah, there was a meeting, there were minions, and there were plans but here’s the catch; NOTHING WAS SAID THAT ALLUDED TO A REAL PLAN! No, really, there wasn’t any solid evidence that prompted the closing of the embassies all over. It was a smoke and mirrors game and YOU all were the captive audience!

As you can see from the article cited there seems to be a lot amiss with all of this now that some reality has been injected into the media stream of derp. Why was this all brought to you in the way it was put out there by the media? Was it only the demented scribblings of one reporter seeking to make copy for his dying paper? Or was there more to it? Was there a greater plan at play here that would have the media be the shill to the duping of the public in order to make them see say, the NSA in a different light in these times of trouble for them?

Makes you wonder huh?

DISINFORMATON & OPSEC

So yeah, a story comes out and there are “sources” sooper sekret sources that are telling the reporter (exclusively *shudder with excitement*) that the Great Oz of the NSA has intercepted a LIVE call with the LOD and that it had scary scary portents for us all!

WE. ARE. DOOMED!

That the NSA had help prevent a major catastrophe from happening because they had the technology and the will to listen in on a conversation between some very bad dudes like Ayman and the new AQAP leaders plotting and planning our cumulative demise.

*SHUDDER*

The truth of the matter though is a bit different from the media spin and disinformation passed on by the so called “sources” however. The truth is this;

  • The “con call” never happened. There was no set of polycoms and Ayman is not a CEO of AQ.
  • The fact is that Ayman and many of the other “heads” of the LOD were not actually there typing. It was a series of minions!
  • The contents of the “chat” were not captured live. There was a transcript captured on a courier that the Yemeni got their hands on and passed it on to the Western IC. (So I have heard, there may in fact be a chance they captured the stream using this guys acct) the Yemeni that is, not so sure it was us.
  • As I understand it, there was nothing direct in this series of conversations that gave any solid INTEL/SIGINT that there was a credible threat to ANY embassies.

There you have it. This has been WHOLLY mis-represented to the Amurican people. The question I have is whether not there was an agenda here on the part of one of the three parties or more.

  • Right wing nutbag Eli Lake
  • The “anonymous sources of intel”
  • The “anonymous sources handlers”

These are the key players here that I would really like to get into the box and sweat for a while. After the madness was over and sanity let it’s light creep into the dialog, we began to see that these so called sources were no more or less better than “CURVEBALL” was during the run up to the Iraq war. In fact, I guess you could say they were less effective than old curveball because we did not actually go into another half baked war on bad intelligence this time did we?

Another question that should be asked here is why was this information leaked in this way to the press on an ongoing operation that I would say might be pretty sensitive. I mean, you have a channel into a chat room (or *cough* con call as the case may be har har) that you could exploit further and yet you decide to close all the embassies and leak the fact that you have closed said embassies because you intercepted their sooper sekret lines of communication?

*blink blink*

Holy what the Hell? What are you thinking POTUS and IC community? Oh, wait … Let me ideate on this a bit….

  • The intel community is in the dog house right now because of the SNOWMAN FILES yup yup
  • So a WIN would be very very good for PR wouldn’t it? I mean you don’t have to hire a PR firm to figure this one out right?
  • HOLY WIN WIN BATMAN! We tell them we foiled their plans using sooper sekret means that the public hates for infringing on their “so called” rights and we can win hearts and minds!

Could it be that simple?

All joking aside though, think about it. Why blow an operational means of watching how the bad guys are talking UNLESS it was never something you really had access to in the first place right? You could win all around here (though that seems to be backfiring) IF the Yemeni passed this along and it was after the fact then how better to make the AQ set abandon the channel by saying you had access to it?

Right…

How better also to try and get a PR win by alluding (ok lying lying lying with pantalones on fire!) that you had compromised (you being the NSA and IC here) said channel! I guess overall the government thinks that the old axiom of “A sucker born every minute” still applies to wide scale manipulations of stories in the media to sway thought huh? Oh and by the way, if any of you out there think this is just too Machiavellian I point you to all those cables dropped by Wikileaks. Take a look at the duplicity factor going on in international realpolitik ok?

Political Wag The Dog

It seems after all once all the dust has settled that either one of two things happened here;

  1. Eli Lake did this on his own and played the system for hits on his paper’s page
  2. Eli Lake was either a witting or un-witting dupe in this plan to put out some disinformation in a synergistic attempt to make the IC and the government look good on terrorism in a time where their overreach has been exposed.

It’s “Wag The Dog” to me. Well, less the war in Albania right? I suggest you all out there take a more jaundiced eye to the news and certainly question ANYTHING coming from “ANONYMOUS SOURCES” on NATSEC issues. It is likely either they are leakers and about to be prosecuted, or there is a cabal at work and DISINFORMATION is at play using the mass media as the megaphone.

Sorry to sound so Alex Jones here but hell, even a clock is right twice a day.

K.

 

BofA Gets A Burn Notice

leave a comment »

data-deeper

rode bb iqdnpmbia fpn’k ybi lr qektrf?

PARANOIA 

par·a·noi·a

[par-uh-noi-uh]  

noun

1.

Psychiatry. a mental disorder characterized by systematized delusions and the projection of personal
conflicts, which are ascribed to the supposed hostility of others, sometimes progressing to
disturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.
2.

baseless or excessive suspicion of the motives of others.
Also, par·a·noe·a  [par-uh-nee-uh]  Show IPA .
Origin: 
1805–15;  < Neo-Latin  < Greek paránoia  madness. See para-, nous, -ia

Paranoia , the Anonymous intelligence division (self described) published a dump of data ostensibly taken from Bank of America and TEK Systems last week. The information presented seems to show that BofA had contracted with TEK to create an ad hoc “Threat Intelligence” unit around the time of the LulzSec debacle. Of course since the compromise of HB Gary Federal and the revelations that BofA had been pitched by them to do some contract work in the disinformation business it only makes sense that BofA would set up a threat intel unit. The information from the HB Gary dumps seemed to allude to the fact that BofA was actively looking to carry out such plans against those they perceived as threats. Anons out there took great umbrage and thus BofA was concerned.

This blog post is being put together to analyze the data dumped by Anonymous and to give some perspective on what BofA may have been up to and to set some things straight on the meanings of the data presented by Paranoia. First off though I would like to just say that I think that generally BofA was being handed lackluster threat intel by a group of people with intelligence background. (for those names located in the dumps their LinkedIN pages showed former mil intel work) This of course is an opinion formed solely from the content that was available online. There may have been much more context in formal reports that may have been generated by the analysts elsewhere that was not open for the taking where Anon found this dump. The daily and monthly reports found in the database showed some analysis but generally gave rough OSINT reports from online chat logs, news reports, and pastebin postings. There seemed to be a general lack of product here and as such I have to wonder if there ever was or if perhaps those reports never made it to the internet accessible server that anonymous downloaded them from.

B of A’s THREAT INTELLIGENCE TEAM

Since the leak of their threat intelligence BofA has been recruiting for a real team it seems. A Google of the parameters show that they have a bunch of openings all over the place for “Threat Assessment” It makes sense since the TEK Systems team may in fact be mostly defunct but also that they likely would want an in house group and not have to pay overhead on consultants to do the work for them. TEK’s crew as well may have been the problem that caused the leak in the first place by placing the data in an accessible area of a web-server or having passed the data to someone who did not take care of it. Either way it looks as though BofA is seeking to create their own intelligence apparatus much as many other corporate entities are today. The big difference though is what exactly is their directive as a group is to be.

One of the problems I have with the Paranoia analysis is that they take it to the conspiratorial level and make it out to be some pseudo CIA like entity. The reality though is that from what has been shown in the documents provided, that this group really was only tasked with OSINT and threat intelligence by passive listening. This is a key difference from disinformation operations and active participation or recruiting of assets. I will cover this in more detail further on in this post so suffice to say that what BofA was doing here was not only mediocre but also not Machiavellian in nature. The argument can be made though that we don’t know the whole picture and I am sure Paranoia and Anonymous are leaning that way. I cannot with what I have seen so far. What I see is an ad hoc group of contractors trying to create an intelligence wing as a defensive maneuver to try and stay ahead of incidents if not deal with them more effectively should they not be able to stop them.

Nothing more.. Nothing less.

Threat Intelligence vs. Analysis and Product

All of this talk though should be based on a good understanding of what intelligence gathering really is. There are many variations on intelligence tasks and in this case what is clearly seen in the emails and documents is that this group was designated as a “Threat Intelligence” collection group. I have written in the past about “Threat Intelligence” and the misnomer many have on the idea that it is some arcane CIA like pursuit. One of the bigger problems overall is perception and reporting where intelligence gathering is concerned. Basically in today’s parlance much of the threat intelligence out there in INFOSEC is more around malware variants, their C&C’s and perhaps who are running them. With the advent of APT actors as well as criminal activity and entities like Anonymous the paradigm of threat intelligence has come full circle back to the old school idea of what it is from the military sphere of operations.

Today’s threat intelligence is not only technical but also human action driven and this makes it even more important to carry out the collection and analysis properly in order to provide your client with the information to make their decisions with. Unfortunately in the case of the data from BofA we see only sketchy outlines of what is being pasted online, what may be being said in IRC sessions, and what is in the news. Nothing overly direct came from any of the data that I saw and as “product” I would not be able to make much of any decisions from what was presented by TEK Systems people. What is really missing within the dump from Paranoia was any kind of finished analysis product tying together the information in a cogent way for the executives at BofA. Did TEK actually carry this type of activity out? Were there actual reports that the execs were reading that would help in understanding the contents of the raw intelligence that was being passed on in emails daily and monthly? I cannot say for sure. What I did see in the reporting (daily threat reports as well as monthly) were some ancillary comments by a few of the analysts but nothing overly structured or productive. I really would like to know if they had more of an apparatus going on here as well as if they plan on creating one again with all of the advertised positions in that Google search above.

Threat Intelligence vs. HUMINT

This brings me to the whole issue of Threat Intel vs. HUMINT. It would seem that Paranoia thinks that there is much more than meets the eye within the dump that makes them intone that there is a HUMINT (Human Intelligence) portion to the BofA program. While there may well be some of that going on it was not evident from any of the documents I looked at within the dump files. HUMINT would imply that there are active participants of the program out there interacting with the targets trying to recruit them or elicit information from them. With that kind of activity comes all of the things one might conjure up in their heads when they think on NOC (Non Operational Cover) officers in the CIA trying to harvest intelligence from sources (assets) in the field. From everything seen that was posted by Paranoia this is not the case.This operation was completely passive and just collecting data that was in public view aka OSINT. (Open Source Intelligence) Could BofA be seeking to interact more with Anon’s and generate more personal data other than that which the Anon’s posted about each other (DOX’ing) sure but there is no evidence of that. Given the revelations with HB Gary though I can see why the Anon’s might be thinking that they are likely taking more robust non passive actions in the background elsewhere though. Overall I just want everyone to understand that it’s not all cloak and dagger here and seems that Paranoia has a flair for the dramatic as a means to get their point across. Or, perhaps they are just living up to their name.

Assessment

My assessment in a nutshell here of the Paranoia BofA Drop is as follows:

  1. Paranoia found some interesting documentation but no smoking gun
  2. TEK systems did a mediocre job at Threat Intelligence with the caveat that I am only working with the documents in plain view today
  3. BofA like any other company today has the right to carry out this type of activity but they need to make sure that it’s done well and that it isn’t leaked like this
  4. If more documents come out showing a more in depth look at the OSINT being collected then perhaps we can change the above findings
  5. BofA needs to classify their data and protect it better on this front
  6. Paranoia needs to not let its name get the best of itself

All the drama aside this was a ho hum really. It was funny seeing all the analysts taking down their LinkedIN pages (really, how sekret squirrel is it to have a LI page saying who you work for doing this kind of work anyway? SECOPS anyone?) I consider those players quite burned and assume they are no longer working on this contract because of it. All you analysts out there named, you are now targets and you are probably learning SECOPS the hard way huh? I guess in the end this will all just be another short chapter in Encyclopedia Dramatica and an object lesson for BofA and maybe TEK Systems.

For everyone else.. It’s just LULZ.

K.

Counterintelligence, False Flags, Disinformation, and Network Defense

with one comment

//B zrxr wwmpxjnp vf ygwyr jh kur gig vvbxv nf o “yinwf zcnt”. Ilmf xp vv lbi vwwpe grxr mhct sxh ubpifmpxt qzgu o izkruyi nar t tcqjhrgrf. Mpgwf xrlf hawwki, CU’f uoom oehhvgvq lbtmqm, ybywzzcqt, ueq vbyzcvfx nngsk ucvlm. Pbh bxmf e qlf.\\

Threat Intelligence, Counterintelligence, and Corporate | Nation State Espionage

“Threat Intelligence”, a term that is just behind the oft used “Cyber” and God forbid, “Cyber” is all too often put in front of it as well to add more oomph for sales people to sell their brand of security snake oil… “But wait there’s more!” We also have other spook terms being kluged into the INFOSEC world now because, well, it’s cool to those cyber warriors out there. I know, I sound jaded and angry, which, yes, yes, I am, but… Well, it’s just gone completely off the rails out there. I hear people talking about these topics as if they know what they are talking about even with the exceedingly limited scope of digital security matters (i.e. hacking/forensics/defense)

I would like to clear the air here a bit on these terms and how they do really apply to the world of INFOSEC that we in this business now find ourselves in, one littered with military and spook terms that you may not be really familiar with. First off, lets look at the terms that have been thrown around here:

Threat Intelligence: In the spook world, this is the gathering of intelligence (HUMINT/MASINT/SIGINT etc) to determine who has it in for you and perhaps how they plan on getting at you.

Counterintelligence: Spies who hunt other spies (Mole Hunts etc)

Espionage (Nation State and Other) The umbrella under which this whole rubric exists. Nation state and other have the component of “Industrial” as well (i.e. IP theft)

Ok, so, where once we used to only have people in three letter agencies worried about “ThreatIntel” we now have the INFOSEC community looking at “threats” to their environments and calling it “Threat Intelligence” now. While it’s a cool name, does it really apply? What was it before the whole APT thing broke as well as the cyberwar-palooza we have today? For the most part, I can see only half of the term applying to any non state entity or three letter agency and that is of what “threats” are out there today. This means what exploits and pieces of malware are out there that your environment would be susceptible to.

Nothing else.

That is unless you suddenly have a company that has decided to launch its own “Intelligence arm” and yes, this has happened, but usually only in larger companies with defense contracts in my experience. Others though, have set them up, like Law firms, who then hire out ex spooks to do the work of counterintelligence as well as intelligence gathering to have an edge over everyone else. Perhaps this is bleeding out into other areas as well in corporate America huh? The point here for me is that unless you have an intelligence arm (not just INFOSEC) you should not be using the term “Threat Intelligence” as an encompassing statement of “there’s malware out there and this is what it is” Point blank here, IF YOU AREN’T DETERMINING WHO YOUR ADVERSARY IS AND WHAT THEIR PLAN IS… IT”S NOT THREAT INTELLIGENCE.

Looking at IP’s on an SIEM and reacting to a triggered event is not threat intelligence. It’s INCIDENT RESPONSE. It’s AFTER THE GOD DAMN FACT OK?

So, stop trying to make it sound cooler than it really is people. To further this idea though, we still have “Counterintelligence” which FOR FUCKS SAKE I have personally seen in a title of a complete MORON at a large company. This fucker sits around all day looking at his stock quotes though, see, it’s just a cool title. It has no meaning. UNLESS you really have an operational INTELLIGENCE UNIT in your company.

*Look around you.. Do you? If not then STFU*

If you do have a real intelligence wing in your org that carries out not only COUNTERINTEL/INTEL/HUMINT/THREATINTEL then more power to you. If not, you’re deluding yourselves with militaristic terms and cyberdouchery… Just sayin.

However, the way things are going with regard to the world, I should think that you might see more of these kinds of intelligence arms springing up in some of the larger corporations of the world. It’s a rough world and the fact that everything is networked and global has primed the pump for these kinds of activities to be a daily operations tool. It’s now the blurring of the lines between what nation states solely had the control and aegis over to now its becoming privatized and incorporated.

William Gibson saw it.. Phramacombinats and all.

False Flags and Disinformation Campaigns

Which brings me to the next level of affairs here. When I was on the DEFCON “Fighting Monsters” panel, I made some statements that seem to have come to pass. I spoke about how Anonymous would have to worry about “False Flags” against their name as well as expand upon the idea that Pandora’s box had been opened. Nothing on the internet would really be the same because we all had moved into the “spook world” by the actions of Anonymous as well as things like Stuxnet. The lines had been blurred and all of us net denizens need to be aware that we are all pawns in a series of greater games being played by corporations and governments.

Since then, we have seen many disinformation campaigns (think sock puppets on social media, fake news stories, rumours, etc) as well as false flag actions where Anonymous may have been blamed or named for actions that the core did not carry out. So many times since then we have seen Anonymous attempt to set the record straight, but, like I said before, who’s gonna believe them because they are “anonymous” and disparate right? Could be anyone… Could be them… And with previous actions, are they to be trusted when they say they did not do it? See, the banner thing (hive mind) has a tremendous proclivity for severe blowback as they have learned.

What’s sauce for the goose though, is also good for the corporate, political, private gander right? How many Acorn operations do you need to see happening in the election cycle to realize that this has been going on for some time and that, now, with the internet, its easier to perform these kinds of operations with a very small group with minimal effort as well? Pandora’s box was not only opened, it was then smashed on the floor and what was once contained inside has been forever unleashed upon us all.

Yay.

Now, going back to you INFOSEC people, can you then foresee how your companies reputation or security could be damaged by false flag operations and disinformation? A recent example may in fact be the attack purported to be on against Josh Corman of Akamai because he said some things that “some” anonymous players did not like. Were they really out to get him? Were they doing this out of outrage or was there another goal here? What you have to ask yourselves is, what is my company and it’s employees susceptible to in this area? Just as well, this also applies to actual attacks (DDoS etc) they could be signal to noise attacks. While the big attack is going on, another team could be using the fog of war to sneak into the back door silently and un-noticed.

See where I am going there?

In the case of Josh, do they want to D0X him or do they want to force Akamai to maybe flinch and let him go because of bad press, and potential attacks on their infrastructure and management?

Ponder that…There are many aspects to this and you have to have a war mentality to grasp it at times. Not all attacks frontally are the real attack today. Nor are all attacks on players what they may seem to be in reality, the adversaries may in fact have a longer game in mind.

Network Defense and Network OFFENSE

Ok, so back to reality today with many orgs and their INFOSEC programs. You are looking to defend your network and frankly you need not have “cool” names for your program or its players. What you need is to be mindful of your environment and pay attention to the latest attacks available that would affect it. Given today’s pace though, this makes just about everything suspect. You can get yourself an IDS/IPS, an SIEM, Malware protection, and all kinds of things, but, unless you know where shit is and what it is, you lose the big game. So, really, threat intelligence is just a cool name for an SIEM jockey today.

Like I said, unless you are doing some real adversary profiling and deep inspection of attacks, players, motivations etc, you are not doing THREATINTEL. You are minding the store and performing network defense… i.e. your job.

Now, on the other end of the spectrum lately, there have been certain douchenozzles out there saying that they can sell you services to protect your org with “OFFENSE”

*blink blink*

Offense you say? Is this some new form of new SPECWAR we aren’t aware of? Firms like the more and more vaporware company “Crowdstrike” seem to be offering these kinds of services, basically mercenaries for hire, to stop those who would do you harm. What means are they going to employ here? Obviously performing what they see as intelligence gathering, but then what? Once you have attribution will there then be “retribution” now like so many Yakuza centric stories in Gibson novels? I’m sorry, but I just don’t see this as viable nor really any kind of a good idea whatsoever… Leave it to the three letter agencies.

Alas though, I fear that these companies and actions are already at work. You can see some of that in the link above to the book I reviewed on private intelligence and corporate espionage. Will your data be a part of a greater corporate or government conspiracy? Some black ops mumbo jumbo over your personal information perhaps? Part of some retribution for some attack perceived to have happened to company A by company B?

Welcome to the shadows and fog of espionage kids.

Going “Off The Reservation”

Overall, I guess I just wanted to lay some things out there and get people’s heads around the amount of douchery going on today. We collectively have gone off the reservation post 9/11 with PII, Privacy (lack thereof) and hacking. That entities like Anonymous came to be and now see the governments and corporations of the world as dark entities isn’t so hard to see when you look at the crap going on out there. What we saw in Team Themis was just one small spec in a larger “Cyber Beltway Banditry” going on today. Look to the other side where you have Fusion centers with private INTEL gathering capacities tossing out absolute crap yet spending BILLIONS of dollars and, well, there you have it.

Monkeys with digital guns.

We are off the reservation already and it’s every man  (or woman) for him or herself.

In the end though… If you have a title that says something like “CHIEF INTELLIGENCE OFFICER” on it, you’d best be at a three letter agency.. If not, then you are deluding yourself with EPIC DOUCHERY.

K.

Three Days of The Condor… With Malware…

leave a comment »

Rvy taes eha qgcq tlmbvq tqsix. Px iiuz ytwtqn cvzl dek. Yxi dtf fq wjzbbuk. Yahpv moi riagk lbrzy mop hm xte bdibuk. Mnm o tty aulu gchd fqsrrv rvy, mnm o uhvv iiuz filr, mnm gfflsze hcl dusi, mjmsx lzqn cflla, aulu uvm vyf oo hyx jed. Awr yx dmxl bazel, e nelcdbuk emrzv. Ubx te fwce simvn cgxu xte mcfk vj fhn qrk hrp ootvk as sies phb e xioh.


Turner: Do we have plans to invade the Middle East?
Higgins: Are you crazy?
Turner: Am I?
Higgins: Look, Turner…
Turner: Do we have plans?
Higgins: No. Absolutely not. We have games. That’s all. We play games. What if? How many men? What would it take? Is there a cheaper way to destabilize a regime? That’s what we’re paid to do.
Turner: So Atwood just took the games too seriously. He was really going to do it, wasn’t he?
Higgins: A renegade operation. Atwood knew 54/12 would never authorize it, not with the heat on the company.
Turner: What if there hadn’t been any heat? Suppose I hadn’t stumbled on their plan?
Higgins: Different ballgame. Fact is, there was nothing wrong with the plan. Oh, the plan was all right, the plan would’ve worked.
Turner: Boy, what is it with you people? You think not getting caught in a lie is the same thing as telling the truth?
Higgins: No. It’s simple economics. Today it’s oil, right? In ten or fifteen years, food. Plutonium. And maybe even sooner. Now, what do you think the people are gonna want us to do then?
Turner: Ask them.
Higgins: Not now — then! Ask ’em when they’re running out. Ask ’em when there’s no heat in their homes and they’re cold. Ask ’em when their engines stop. Ask ’em when people who have never known hunger start going hungry. You wanna know something? They won’t want us to ask ’em. They’ll just want us to get it for ’em!
Turner: Boy, have you found a home. There were seven people killed, Higgins.
Higgins: The company didn’t order it.
Turner: Atwood did. Atwood did. And who the hell is Atwood? He’s you. He’s all you guys. Seven people killed, and you play fucking games!
Higgins: Right. And the other side does, too. That’s why we can’t let you stay outside.

The Geopolitics of Fossil Fuels

Since the discovery of fossil fuels (oil and the derivative of gas from it) we have had a real love affair with it. Though it was tough to get out of the ground and then refine into a usable product we decided that it was the best alternative to keeping our lights on and our cars running. Since then, the resources have become the aegis of foreign and domestic policies globally, and likely will continue this way until the last drop of fuel is burned by some car somewhere. It’s these policies that I believe are driving the recent attacks on oil and gas firms within the Middle East recently. There may be some tit for tat as well, and maybe a warning to certain players, but, overall, it seems to me that a game is being played. Of course, all the games have been being played in the region of the Middle East because of the need for fossil fuels, anyone who says otherwise I think, well, is delusional.

Whether or not you are a “tipping point” believer, in general, we have seen over the years many instances where the Med has affected and still affects today, the price of gas and thus, the cascade effect prices on just about everything because we are dependent on the gas to move things, to grow things, to.. Well you get the point right? No gas means no economy really today. So, this is an imperative and those countries seeking to gain access to said fuel resources would not be above trying to get a competitive edge over others, never mind the possibilities of gaming the owners of the resource from the start right? Add to this the pressures today of the instability in the region (and really, when has it ever been really steady?) and you have quite the motive to use espionage to get that advantage and deny others the access they too desire.

It’s with this in mind that I have been sitting back and watching the events with Saudi Aramco and RasGas with some interest. I have been reading the news reports as well as the malware assessments and cannot help but see a parallel with the movie “Three Days of the Condor” from 1975. The story line moves along the lines of an analyst finding an unsanctioned plot to overthrow a government in the Middle East over oil. This film stuck with me since seeing it as a kid in the 80’s and I have quoted it before in posts on other things. This time around though, I think we are seeing some more direct actions by persons unknown, to manipulate the playing field where oil or fuel resources are concerned..

Albeit with a modern twist for today.

Spygames  with Malware

Virus origin in Gulf computer attacks in question

New Virus Hits Oil Giant, LNG Producer

At least two types of malware are alleged to have penetrated Saudi Aramco and RASGAS in the last month or two. Not much is known about them, though Shamoon aka W32.Disttrack seems to have been pulled apart a bit by Symantec. Not much has been really made in the press over these attacks and those attacked have been quiet as well. Both RasGas and Saudi Aramco though, made statements that none of their production or distribution systems were affected by the malware, a claim that they have not really backed up with facts I might add. However, as far as we can see thus far, those statements are overall true because there are no reports of system breakdowns in getting the product to and from the companies collectively.

As it would seem from the analysis thus far of Shamoon, the malware seems to be the run of the mill data thievery type that is almost COTS in a way. The more interesting bits seem to be around the “wiping” feature that was written into it. Why the malware was made to wipe the MBR is a bit of a mystery to me and seems rather amateurish in a way that leads me to believe either someone is playing it very smart, or, they are just malicious.

I can’t be sure which…

While the method of wiping is not as exotic as the so called “wiper”  Shamoon corrupts the MBR of the system and game over. I have not seen in any of the data so far (via googling) a means of triggering the wipe sequence on Shamoon though. One wonders if it’s just timed out or is there some trigger if it is detected or tampered with? Also, it is interesting to note that the name “Shamoon or Simon” is from a folder listed in the malware as well as the fact that this was targeted to the “Arabian Gulf” as the wiper module alludes to as well. So, this seems to have been a targeted attack from these bits of data and the fact that it’s penetration out in the wild is low from what I have seen online. It is likely that this was initiated by a directed phishing attack at the companies afflicted and worked it’s way through their networks. Networks by the way, that may not in fact have been separate from the ICS/SCADA networks, which it seems may not have been directly “affected” because the payload did not include any attacks on said systems. The only fallout would likely come from a PC getting wiped which could easily be re-imaged or replaced with a working copy.

Still.. What was the goal here? What data was taken? In the case of both Saudi Aramco and RasGas, a look with Google (Google Fu) shows that both companies had quite a bit of data hanging out there to exploit and use in an attack. Today though, most of their data has been redacted, but, you still can get some cached copies of interesting tidbits. Given that they were loose before, one might imagine that they were a rich target environment for the malware to ex-filtrate all kinds of documents to the C&C server. It would take a lengthy investigation as to their market placement and any potential deals ongoing to give some more context I think, but doing so would be an interesting diversion to understand these attacks a bit better as to motive though.

The Possible Players in Shamoon/Wiper/UNSUB Malware Attacks

With all that said, then who would be the likely players here? Is this nation state? Is it corporate espionage and acts of attrition in an ongoing oil war? It’s hard to say really. One source indicated to me that perhaps it was a move by Russia to give the hint to Iran on some internecine plot over power plays in the region. I personally think that the whole “cutting sword of justice” claim that they took down Saudi Aramco is bunk but hey, maybe a cabal of hackers did this to… Well do what? Perhaps there is more yet to be dumped online in a pastebin to give us the proper scope here. Overall though, it’s been really low key and not much has come out like I said on what was taken, what was done, and the damages to the systems/companies involved.

So where does that leave us regarding who did this? Well, pretty much where we stared, with supposition and guess work. Was this nation state? This is an interesting question. If it was nation state, could it have been a fledgling group, like say, the IRGC and it’s cyber hacking group recently formed? Would Iran benefit from such attacks? All good questions and something we should all ponder. However, the most interesting point there might in fact be that since the Stuxnet genie was let out of the bottle, it was only a matter of time before actors like Iran would make their own variants and loose them upon others. In the case of Iran though, they too seem to have been hit with the same if not similar malware in recent days as well, but, this does not presuppose that they didn’t have a hand in it.

All in all, there just isn’t enough information to nail down a culprit or culprits.. But, it does show us a precedent that we should all worry about just as much as we should over certain instances of attacks against pockets of ICS/SCADA implementations. What I am talking about is blowback from attacks.

Blowback

Blowback usually refers to consequences coming back on those who took the action in the first place. Here though, I am not only referring to those who carried out the malware attacks, but also on the rest of the world in certain scenarios like this. By attacking systems such as these, one could in fact cause market fluctuations depending on the markets and their jittery-ness. In the case of the oil business, we have seen great changes in prices due to not only the control over the oil and it’s price by the cartels (Saudi) but also how the countries are feeling about their markets and the state of affairs in the world. If you start tinkering with companies of this kind and by the product of destroying infrastructure (or the perception of such) you will be affecting the prices at least for those companies directly. What if though, you were to hit more of them at the same time and cause not only damage but the “perception” of insecurity within the system of oil/gas production and distribution?

This time nothing much seems to have happened, but one can only say this because there isn’t much information out there as to what really took place on those systems and networks. What if this played out another way, with much more press and obvious damages? This would be worse and might occur the next time whether or not it was intended by the programming of the malware. This all of course depends on the scope of the attacks and with that you have to wonder about nation state vs. non state actors here. The difference being, that a nation state may attack a wider variety of systems and companies as a precursor to war while the non state actors may just be looking for information or to hobble a competitor. Both however, could have unforeseen blowback from their actions.

What all of this says though, is that Pandora’s box has been opened. All the players are now taking the field, and many of them may not be ready to play a proper game… Shamoon did it’s thing, but it seems to be more a brute force tool than an elegant piece of code and a slick plan. The blowback though is yet to be determined.

K.

“THREAT INTELLIGENCE” Sure, there’s plenty out there but, are you an analyst?

with 2 comments

Sfy fdh uua ldy lbrld nswgbbm obrkdvq C phmkmye, utn obnm mify ptm mwy vl sbw mgkznwal htn gz jahwz pvvsijs vl dpgfixc.
Lwuq fnlw ug

 

From Dell’s CTU page

Threat Intelligence

Time is of the essence when protecting your organization’s critical information assets against cyberthreats. However, finding the security intelligence that matters most to your organization consumes precious time and adds strains to in-house resources already stretched too thin. At times, days or even months can pass before vulnerabilities in your environment are patched, increasing business risk and expanding the window of exposure.

Leveraging Dell SecureWorks’ global threat visibility across thousands of customer networks, proprietary toolsets and unmatched expertise, the Dell SecureWorks Counter Threat Unit (CTU) security research team performs in-depth analysis of emerging threats and zero-day vulnerabilities.

Powered by CTU research, the Dell SecureWorks Threat Intelligence service delivers early warnings and actionable security intelligence tailored specifically to your environment, enabling you to quickly protect against threats and vulnerabilities before they impact your organization. The Threat Intelligence service enables you to reduce considerable risk by closing the window of exposure more quickly, and also enables you to spend more time devoted to quickly remediating the risks most pertinent to your organization.

Threat Intelligence services provide:

  • Proactive, actionable intelligence tailored to your environment
  • Clear, concise threat & vulnerability analyses
  • Detailed remediation information & recommendations
  • Consultation with our threat experts
  • On-demand access to extensive threat & vulnerability databases
  • Malware analysis upon request
  • XML intelligence feeds
  • Integration with other Dell SecureWorks services for correlation and unified reporting

ACRONYM SOUP

Threat Intelligence: THREATINTEL another acronym or name of something we in the INFOSEC world are now hearing as a mantra of what we need. Vendors are pimping this idea as they “cloud-ify” their solutions (SOPHOS etc) to give you the proper “Threat Intelligence” for your org. Plug in threat intelligence into Google and you will get zillions of hits that are sales pitches right off the bat. However, recently on the LiquidMatrix podcast the question was posed of “just what is the meaning of threat intelligence?”

I think that is a very important question and perhaps there are more of you out there who may not know. Certainly there are C levels out there I am sure who haven’t a clue what it means as well. A basic understanding of English will tell you that this activity involves threats and their detection, but as a company what are the threats that they would be looking for? A person with a military background may have another idea altogether of “Threat Intelligence” as they may not be so much focused on network or computer issues. Instead they may focus on physical security and the threat of individuals. Still others with a mind toward the world of intelligence, may see a more nuanced picture of the same term with bigger pictures and more subtle ideas.

The upshot here is that for each person or group that takes up the idea of monitoring threat intelligence, they first have to know what they are particularly interested in keeping an eye on, and how their organizations need that intelligence to work for them.

Threat Intelligence Takes Many Forms

In today’s world and from where I am seeing (or actually hearing it used most) is in the world of information security. In this instance, and for the thrust of this article I would like to define the types of threat intelligence that we should be paying attention to in no specific order as all are an equal part of the larger picture:

  • Malware types and propagation
  • Phishing exploits in the wild and their modus operandi
  • Vulnerabilities out in the open (new and old)
  • Your AV and IDS/HIDS/NIDS capabilities (stratified? Not? Multiple types?)
  • SIEM and Network Monitoring of health/traffic
  • Network centric asset management (a good network diagram that is updated frequently)
  • Hardware asset management (knowing what you have and where it is)
  • Software asset management (knowing what you use and what should and should not be there)
  • Network landscapes (yours and others connected to you)
  • Potential Aggressors or bad actors and their types
  • News Cycles on hackers and hacks
  • Political and social “net” movements
  • Your social media posture (PR etc) in the world at large (i.e. social media monitoring of your org being talked about)
  • The state of morale at your organization
  • Industrial espionage potentials for your org (what you hold and why it might be of interest to a nation state or other)
  • Patching and your network landscape
  • The security posture of the orgs that work with you and have connection to you
  • The threat to any orgs that you are affiliated with and connected to (i.e. higher threat and poorer security posture make for a higher threat overall to you)
  • Actionable intelligence from IDS/IPS as well as trending data from a SOC (Security Operations Center)

As you can see from the above, it’s not just getting your hands on an IDS/IPS or a SOC service and looking at the attacks currently being aimed at you. You have to know the environment, know the players both inside and outside of your organization and be able to extrapolate a big picture view that you can then drill down into and have a deep understanding of.

Is this always possible in every org? Certainly not…

However, all of these factors above could lead to a technical compromise as well as perhaps an insider leak of information that could cause you great damage. You see, this has to be a more holistic picture and not just a network centric approach in order to have a better chance at protecting yourself. The focus for many of us in the information security sphere all too often just takes the form of technical means of security when the picture is much more complex. Unfortunately though, this is where many of the companies out there looking to sell appliances and cloud services lead companies and C levels astray.

Threat Intelligence Snake Oil

Sure, a SOC and an IDS/IPS is always a good thing. I am not saying that going without one is a super fantastic idea. What I am saying is first, you have to know your appliance. Know how it works as well as what the alerts mean yourselves, not just let the service dictate to you what an alert means. Now this means that you should have technically capable people who can read an alert, know the environment well, and determine “if” an alert is indeed valid.

Remember the old axiom “A fool with a tool… Is still a fool”

SOC services today often also say they offer you threat intelligence reports. These often are regurgitation’s of news stories on current hacks that have happened as well as patches being put out for various systems. No doubt these are good, but, they don’t always have everything you need to understand the threats. This is if you even get this feature, some places may in fact only offer the IDS/IPS and it will alert you alone without real context other than a CVE and some technical details. It is important when you decide to get a threat intelligence piece in addition to an IDS/IPS service, that you look at their alerts and get a good working picture of just how much information they are collecting, it’s relevance to your org, and its timeliness. After all, if you get an important piece of data the day after an attack, its already too late right?

This is all predicated though on the idea that you have someone or group of people who understand threat intelligence principles and how to apply them to your particular environment. This is where you need “Analysts” Even with a good SOC service that has good threat intelligence for you, it’s useless unless YOU have an analyst who can interpret the data.

Threat Intelligence Requires Analysis

A common issue in the intelligence game is having analysts who understand not only the data, the complexities of environments, and the big picture view of things, but also the ability to “analyze” data and extrapolate from it in a cogent way. Recently Jeffery Carr posted a blog on Infosec Island that was particularly prescient about the need to have the right psychology when performing analysis. He is absolutely right and in his article it was specifically around the intelligence collected by agencies like the CIA. You however are likely not the CIA but, you still need to have an approach to your threat intelligence in the same vein.

The technical side of the threat intelligence needs to be married with the social and psychological as well to have the big picture view of your threats. As I mentioned above, you need to know who might have it in for you, who might target you, why would they target you, and other motivations to have a better grasp of your threat matrix. For this, you need an analyst, or analysts, not just a report from the SOC. The same can be said just for the technical side of the house as well. If you have technical alerts but no real insight into how they work as well as what you presently have in your environment, then it’s game over really. The same can be said if you don’t have an analyst who can then extrapolate all of this into a cogent means of getting it across to the C levels that there is an issue(s) and the urgency or not of remediating them.

Analyses and analysts then, are the linchpin to the whole process. Without good analysis, then the service is useless really.

Graphic from: dmrattner.com

It is paramount to have a working program of threat intelligence as opposed to just getting a service and thinking you are all set. This to me, would be the next level of “Candy Security” in that you are laying all your eggs in the basket of some service like so many still today think that they have a firewall and their all good. As we have seen in the last few years alone, the threatscape of the online world has grown from just malware that steals bank data to malware and attacks that have much broader scope and end goals as well as aggressors that are thinking much more laterally in their approaches.

So once again, analysis is key.

Final Analysis

As the complexity of attacks grow at a rate outstripping the pace of “Moores Law” the defenders have to take up a more nuanced approach to protecting their environments and their data. Reliance on technical solutions alone is not tenable, and as I have said in the past, you have to look at the creature behind the keyboard to get a better picture of the attack much of the time. A better understanding of all of the areas mentioned above will give you a higher chance of at least keeping some pace with the attacks out there against you.

Without analysis and insight, you are in an oubliet.. And you will want to “forget” because if you really think about the threats just from not knowing what goes on in your environment, you won’t be sleeping much. Consider your threat intelligence program if you have one, and if you don’t consider starting one.

K.

Written by Krypt3ia

2012/08/26 at 12:41

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments

X

Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?

K.