Archive for the ‘OPSEC’ Category
The Road To PII Hell Is Lined With Job Applications
Due to unfortunate circumstances, I found myself in the position of looking for work after twelve years in one place. As I have been applying for new positions, I have been astonished and appalled at the amount of very personal information that companies are now collecting from prospective applicants. Gone are the days of simple applications where you fill out details about your location, work history, and education. Now, companies are asking the deeper personal questions about your sex, sexuality, status as protected persons, veteran status, veteran status as a protected vet, and other data points that should have us all kinda perturbed.
This story was in my Masto feed this morning and clearly to me, is a harbinger of things to come. While people may openly proclaim their sexuality now, with pronouns and the like, not all of them I am sure, would be overly comfortable with a scenario like the one above happening to them. Now, consider it is not only the university you are attending, but also the companies that you applied for in the past as well as the one perhaps you got your job with, that have this data in some database and they get hacked and all this stuff is up for sale in the darknet as well?
If you all thought that your data was in disparate places and could not be married together easily, well, those days are over, and with the successive hacks and dumps being sold in the darknet and on forums, a savvy collector could create quiete a dossier on you with all this kind of personal information. Never mind, that the government of late, seems to be in a space where, at least in the US, certain factions have gained a foothold, and are setting up agenda’s to abuse your data as well.
Case in point, Florida…
Florida’s mini Trump wants all the Trans Data for unclear reasons, but, I think you all can get a sense of what he might be up to with his rhetoric in the past and his dark ambissions of a White House run maybe in 24. What is clear though, should be that seeking such data is likely going to lead to abuse of it either deliberately, or by being careless in caring for it and you all should be afraid. By all, I mean anyone and everyone, not just trans people, this kind of data being collected, just as I mentioned above in the applications process today, is basically a single stop shop for someone looking to know about you pretty completely in one handy data dump.
Your email address
Your phone numbers
Your address
Your work history
Your certifications and education
…and now
Your sexual preferences
Your pronouns
Your protected status
Your vet status
Your major ailments (I have even seen them asking if you have IBS etc)
Your Instagram address
Your blog addresses
Your twitter address
Your LinkedIN address
Hell, I even got asked on one of the applications (well, technically, it was an email after, separately with a form to fill out) asking about my religious affiliation as well! (This was a remote job, but the firm was in Northern Ireland)
Quite the collection of data just to get a job these days….
All of this data, being handed to every company that you apply for, specifically, online in a form that is saved on a server database somewhere, that likely will not be purged or encypted.
It all waits to be stolen.
Of course, this is just my considered opinion, just a security practitioner off the street so to speak..
Be afraid.
K.
Dickson Yeo: International Man of Mystery *giggle*
I recently went on Blogs of War: Covert Contact and talked with John about online OPSEC and social media. In the process of prepping for the podcast, I went and looked up the stories about LinkedIN being used as a means for Chinese espionage. I had often written about this in the past, and in fact had specifically talked about LinkedIN and how much people over share there. Well, I was given a small surprise when I did, It turns out ‘Dickson Yeo‘, the guy arrested by the feds recently, was someone on my LinkedIN. I remember him as being someone I held at arms length and thought that this account was probably a cutout. Turns out I was right. Full disclosure, he messaged me a few times about posts I had made here and complimented me, but, like I said, and many of you who know me personally, I am not so much a cuddly guy, so he went on his way. Of course later on I was banned from LinkedIN anyway (no I still don’t know why, they would not tell me) so, yeah…. You can hear more on the story and on LinkedIN and our oversharing here on;
Blogs of War Covert Contact: Avoiding Your Own October Surprise
~K
OPSEC and 2020
OPSEC FAIL: IC and MIL LinkedIN Pages:
I recently had a comment on a post on LinkedIN (I post crazy darknet shit on there for giggles) that I did a double take on. The comment was from a profile of a woman who claimed to be a “Counterintelligence Agent” openly on the site. Now, if there is one thing about IC club I know is that if you are in IC club, you don’t talk about IC club openly like this unless you are retired. So I just had to look into this further. As I began to do some OSINT on the profile and the name attached I quickly came to the conclusion that this person was not at all what they claimed to be online. In fact, within a couple minutes of just Googling the name I started seeing all kinds of crazy things.
In the end the conclusion for this profile was that it was either a disturbed individual or that it was a cutout account for some kind of fuckery and I stepped away at that point. But, it got me thinking… Are there legit people out there using LinkedIN who are actually in the IC and posting that fact online now? Would that not be an EPIC OPSEC faux pax? Well, I decided to go look and see what I could find out there. What I found led me down a long and winding derp laden path and I bring it all to you now gentle reader. The portents of all this though lead me finally to ask the question; “Ok, if these people are online giving away their data, what are the RNC and DNC people doing post 2016?”
Well… Short answer is they are doing the same thing and giving the Russians or any other actor a plethora of data to use in spear phishing campaigns for 2020.
First though, as I started talking about, the IC seems to have a problem with OPSEC and I just don’t understand how these people are not being talked to. Take a look below and see what I mean here…
I did some backstop work on these and they seem legit. So my question then is how are they allowed to put this kind of information out there? Why are they doing it? I mean sure, this site is about jobs but, they are currently in a job and all of them should be more security conscious about putting their details out there I think. I mean, the people who are on protective detail for the president?
Really?
Of course then there are INTERPOL people and the like. What are they thinking? If I were looking to target people to attack with phishing and or to just watch and wait for an opening this would be my first easy stop to locating those people. I mean sure, the Chinese have all our SF86’s but geez! I also found more than a few military types who are in CI and other areas of the “secret” space that have current profiles with pictures and details that would make it fairly easy to get their information from open source and to target them as a nation state. The worst of the profiles though was this one:
WHAT THE? …. I can’t.
Yes, this woman is danging deets out there and if indeed is married to another CI agent… Whoa. How do these profiles even get out there? How is it that the Military is not teaching OPSEC classes and or looking at pages like this to stop this kind of thing? I do know there is a group that does this but wow. In this case I backtracked her as well and yep, I have her address etc now so I could easily target here and her spouse.
2020 RNC and DNC Attack Surface:
So, following this line of thought I started looking at profiles of people in both parties committee’s on LinkedIN. I decided though, to focus on those who would likely have admin access as a part of their job and I was not disappointed in finding a rich target environment. It turns out there are a fair bit of them out there oversharing as well. One would think that maybe after what happened to the DNC in 2016 these guys might, ya know, not want that kind of detail out there but hey, they are only in IT Sec and IT right?
I guess if you are a CSO or CTO you might show up on the page of the org itself but really, I would not even recommend that for some of these people. I mean, the average executive is not usually that security savvy and they are a prime target for adversaries. In the case of the DNC hack the GRU seems to have started with high visibility people in the campaign but really, if one were looking for a toehold anyone with rights would be a choice target right? I went down this rabbit hole a while and there are plenty of targets out there giving their names, their personal sites, details, and accounts such as Twitter and the like. All of this information can and likely will be used by adversaries looking to get into their networks so why are they posting all this out there?
Are we all just inured by social media?
I mean at least this guy tried to hide is real full name but DERP it was in his profile URL! Oh and the pic at the podium is just precious too. At least he tried though huh? This guy though is one of their “cyber” security engineers and you’d think anyone in security would have a better understanding of how not to give all this information out to anyone who wanted to abuse it right?
Guess not.
Putting on my prognostication hat, I suspect all of these people have been targeted or are on lists to be targeted by those out there looking for this kind of intel in the open source world. All you need to do is then carry out the full OSINT and you can get a pretty detailed accounting of their lives, their friends, their families, their proclivities, etc. All of this can be used against them in a campaign to subvert them and their access.
Sadly, this is the state of things.
K.
LinkedIN: The APT Phisherman’s Friend
I get some interesting requests for connection on LinkedIN. Some of these are just the rando security wonk or government type, others, well, they are much more targeted and potentially adversary activity looking for an opportunity to mine your connections or you for bits. In the case of the profile above, I believe this to be a fake account created by group looking to get into my links and perhaps someday send me some file that they hope I will click on. Now you all know me, I am an infamous bastard and I vet my connections most of the time so when this one came in all the bells started going off once I took a closer look at her bonafides.
The problem with her is that I cannot verify much of anything she claims in her bio. I looked her online and nothing. I looked up her company that she works for and all I got was a real estate company out of Florida not NYC as she claims to be located in. I then went on to inquire with the secret squirrels out there on the internets whether or not she had in fact worked for RAND. The responses I got back were that she had not worked for RAND, which sure, maybe she did and they could not locate an old email acct and just didn’t know her, but, there are no other remnants in the OSINT out there showing her to be an employee there at all.
Neither could I locate her current company solidly and the company that has the name is run by some guy alone so I am not thinking that that is a solid hit. I then cross referenced in searches on Google for “Harbor Capital LLC NYC” and all I get are names that are close to this but not the same. Once again nothing comes up here that validates this person, never mind the company itself. The alarm claxon is getting louder and louder here ain’t it? So I started the cross searches and yes there are “Elisabeth M Jones'” out there but no one specifically pops up as the definitive person I am looking for here.
Then I used the image search engines to see if I could catch the photo as being re-used. This woman looks kinda familiar, like I have seen her in something on TV but I cannot place it. Coincidentally neither can Tineye nor Google. Neither of these services gave me a solid hit on this image so either this is someone who is rarely photographed, or, this is someone who’s pic has never been hoovered and catalogued by the great Google machine.
Once again, here we are at a loss to show this person really exists. Nothing in these searches can lead me to believe this is anything but a cutout account looking to gain access to my connections and I on LinkedIN. Now some of you out there will likely say “Meh so what?” Well, this is what, this type of attack with social engineering is what I use against targets and many of you out there in the pen-testing arena do too. More so though, the APT types have been using LinkedIN for a long time to gain access to people and then send them malware or links to malware. China has been very good at this for a long time. Iran was doing this a few years ago post Stuxnet, and now the DPRK is gangbusters on LinkedIN phishing.
Put another way gentle reader.. If you work for anything and anyone the APT types want to get access to then YOU are a target as well. Pay heed to the awareness programs you are given on social engineering and phishing and KNOW that LinkedIN, Twitter, Facebook, ALL the social media platforms are used as well for this. I personally have created profiles on LinkedIN to target execs using pretty women to get them to give me access. In fact, ALL of this should sound familiar to you.
Does the name Robin Sage ring a bell?
Speaking of Robin….
Here are Elisabeth’s connections…
Do you see the irony there?…
I do…
*giggle*
Anyway, I have reached out to some and told them that I have some inside skinny that this may be APT but only one of them said they were removing her. C’est la vie I guess, but I never added her. You gentle reader need to understand once again that the Robin Sage effect is still possible. Some of these connections have inside connections that I for one would not want connecting to this rando account… Unless that is their plan, to lead them along..
Hmm….
Whatever.
Keep your eyes open kids and just don’t click accept on shit mmmkay?
K.
PS.. Elisabeth if you are in fact real lemme know… Maybe I will acc…. NAH just fuckin wit ya!
PPS!!
Jayson, you are a first connection… I know you like going to China but you may want to not be the way in for these guys.
Spies Using Social Media? No. Way. *Eyeroll*
THIS rather breathlessly hyperbolic report on JTRIG using social media and hacking to spy on, or manipulate people, governments, and movements as well as gather INTEL on them had me eyerolling. Yes, this is new in that social media is new as is the Internet and hacking but really, the techniques of manipulating populaces for political and espionage advantage are nothing new. The spy agencies out in the world perform these PSYOPS and disinformation operations all the time and in the olden days kids they used to manipulate the press, then TV and the press, then INFOTAINMENT. There is nothing new here…
What you all have to realize is that now YOU are more easily hackable, your information more able to be stolen or accessed by writ of law, or YOU give it away by using applications that have been expressly created to give the agencies access to you as in this URL shortener that GCHQ used on the protesters in the Arab Spring. You all have to realize that unless you are code auditing everything you use on the net, then you too could easily fall prey to information leakage or outright compromise if you are a target of the “community” at large.
I would also like you all to take note that those who may support Wikileaks, or be a member of say Anonymous also were targeted and used in this operation by GCHQ as well so if you are an Anon, you too have been targeted rather directly (like the citation of Topiary’s conversations) so you too are not safe even if you are trying to use good OPSEC, which, it turned out, and I have written about in the past, you were not. Oddly enough though, the Snowden leaks on JTRIG also show how the same issues are at play for those operators within NSA/GCHQ as well. Trying to keep sock accounts straight, know the language and the patter, as well as the political issues is problematic when you are doing things on a larger scale (trust me I know) so at least you have that going for you right?
Heh.
Wake up people.
OPSEC… Live it.
Dr. K.
Tweeter, Jihadi, Soldier, Spy: OSINT in the Twitter JIHAD
IS and the Propaganda Wars
Since the time that Zarqawi created AQI and got UBL’s approval the latter day ISIL/IS/Daesh group was a rag tag crew of angry guys looking to blow shit up. Post Abu’s passing and with the rise of Abu Baqr, the ISIL/IS/Daesh group has grown not only in numbers but also savvy on messaging and recruiting. Of course some of this has to do with the shifting nature of the region given all the politics and US screw ups since the invasion in 2003 that allowed for the group to coalesce into what we have today running amok in the region. Once the group really gained traction though, and AQ even turned their back on them for being too brutal, the IS became a force to be reckoned with in the area but now they have spread onto the internet as a means of propaganda warfare and recruitment. Much to the United States chagrin they have been all too successful in propagating their message as well as giving fodder to the main stream media to roll out the fear machine and set it to eleven.
Twitter Jihad
Primarily the IS took the model that AQAP had started and learned what AQAP did not. IS is much more capable at propaganda and slick messaging than AQAP ever was. IS has even now started it’s own magazine “Dabiq” which is much like the Inspire magazine but seems to be much more art directed than Inspire was. Now the Daesh has even broken into full blown advertising with small propaganda films that film school students probably look at and swoon over for their slick nature and editing. These things though do not have as much reach without the Twitter Jihad that is going on in tandem and as their medium for dissemination.
Twitter has been the battle ground of late in the war of ideas between IS and the world. Of course the US has decided that either the accounts on Twitter should be banned (or maybe that is just Twitter making that decision?) but it seems that the net effect here is a great game of whack-a-mole while the world burns. The US has frankly been stymied to come up with a good solution to the problem of the propaganda that IS has been using to get the ummah to come to the jihad but recently they decided that trolling might be the answer they need.
Of course what I would call trolling is not what I am seeing out of the Department of State’s account at all. I am seeing reasoned arguments that are aimed at unreasonable individuals or those who may have some mental issues that need addressing. By being logical and refuting the call to this particular type of jihad you are just going to maybe get a lock on the rational individuals. However, Daesh wants only the cream of the crop in the whacknuttery department to join their ranks or to self radicalize and act out their fantasies here in the West. Much like I would assume the attacker from yesterday in Canada did with his shootem up at the capitol.
Frankly, I have no solid answers on how to respond to all of this. I would love to see some plans in action that would stem the tide here and perhaps staunch the flow of propaganda and jihad on Twitter. So far the only thing I can come up with is what you will see below for those who are either interested in watching the great game at a larger scale or perhaps to get inside of it a little more and work towards some asymmetric solutions. Perhaps the likes of Anonymous and others would truly “Troll” these players and drive them to drink, spending more time wasting time setting up accounts than actually placing their crap online.
… Just a thought…
On the other end of the spectrum this will be a little primmer on perhaps how you might use some tools to get closer to these guys. By getting closer I mean more in the HUMINT side of the house because as we are seeing they are learning that their metadata is on the Twitter as well. A recent manual that came out from Daesh instructing the brothers on how to stamp out their metadata and specifically called out the fact that geotags had been a problem. Well, as you can see at the top of this post that yes, this is a problem for them. However, I would posit that unless you are watching them real time somewhere in the bowels of Twitter HQ the latency issue becomes a key factor in whether or not we can send a drone and a hell-fire up their asses.
Clearly they are learning from their mistakes and it seems of late that the Bellingcat is out of the bag here with regard to things like looking near real time at their metadata through their posting of images and tweets from places like Raqqa and elsewhere. It was this manual that prompted the post you are reading now in fact. After looking at all the data and seeing the immensity of the accounts online now that are jihadi related I think that it’s just too much for the government to handle. For that matter I think it is certainly too much for the private companies to handle as well and once you come to that conclusion you then have to think about how well they don’t all talk to each other. In the end there is a morass out there and from all intents and purposes today from what I have seen the government has no idea what to do about it. There’s just too much noise to even get the signal and soft trolling is just pathetic.
Recon
So it comes to this, I have decided that the best way of creating some tension that might cause pain to the Daesh is to give you all a taste of recon and OSINT on the Daesh. There are many tools out there you can work with and certainly there are fools with tools out there but I would like to see some smarter approaches here. So here goes…
Some tools:
- Recon-ng
- Mentionmap
- Maltego
- twiangulate
- twtrland
- EXIF tools (online and off)
- regex.info
- Foca
- A raft of other command line tools in live distro’s for forensics
It’s a toolbox really and you put the right tools in there that you like and do the job. I am sure you all out there have others you like. These are just a few of the ones I use daily for my fun and games. Lately though I have been leveraging Recon-ng for their twitter features and will be expanding even further into the youtubes and other modules that they have for this kind of work. Suffice to say that you can really profile people on Twitter for example with just this tool alone. Below are some of my outputs for you to see.
Supporter in Raqqa tweeting 10.17.2014Recon-ng of user on Twitter who is a player within Daesh and is in Syria
Another user logging their connections including their DM connections
A map of a user and who they talk to/mention with frequency as well as hash tags
Supporter in Raqqa tweeting 10.17.2014
All of this data is pretty easy to get once you have the right tool sets and a good place to start looking. I leveraged a couple of accounts that I knew of (Adam Gadhan and Juni Al Britani) but you can use others. I will say though once you start spidering ou you will see a flood of accounts out there that are like minded. The trick though is to locate all those users in country and who are real players in the Daesh palooza and this is where you have the analysis phase of the game. As I have said in my posts about Threat Intelligence, it’s all about the analysis and product. If you don’t carry out the analysis well it all means nothing.
PS.. if you don’t know the tools go learn. I am not here to teach you how to use them. Buy the ticket… Take the ride.
Analysis
Analysis of the data here is the part of the cycle that takes a human being. Someone who can make connections as well as verify them. Tools are great but there are many fools with tools out there as I said above so if you use the tool but you fail in the analysis then you will give bad data in the form of connections that are incorrect. In the case of the Twitter jihad you have to have some idea of who you are dealing with. Are you in fact dealing with a real player who is in Raqqa or Ramadi or are you dealing with a wannabe in the US? You have to actually look at all the traffic, understand the language, and the psyche to make any real headway here. Just grabbing user names won’t do and it certainly won’t do if you cannot even Google translate a bit of the language to even have an idea of what is going on.
By analysis of the connections and reading the tweets you can then react appropriately by:
- Passively collecting intelligence
- Actively collecting intelligence
- Actively degrading their activities through disinformation operations
- Actively reporting their activities to authorities (thus degrading their capacities through blocks)
I am advocating all of these things now because this is just Twitter. This stuff is public to begin with and as such it is not like they are planning operational details through Twitter. They are instead advertising really and that to me is up for grabs for the common folk on the internet to attack. I am sure some out there will have a hissy about all of this (Flashpoint, lookin at you Evan you dickweed) but I don’t give a crap. This stuff is just polluting the weak minded and any way to stop it in my book is sauce for the gander.
If you are going to do this then you had best learn OSINT and intelligence analysis. If you want to just scrape names and pass them to Twitter to block, fine, but at least give them the real players and not some hapless reporter ok? Do the work, learn the tools and make a difference.
Asymmetric Response
So what I say to you all out there is pick your plan and go with it. Give the daesh a pain in the ass. I know that in the past Anon’s have been threatening all out war on the jihadi’s on Twitter and I have seen a bunch of nothing come of it. Doxing these guys will only work if they are in the US or another country where they can be picked up.I do fully support the idea though that if you are going to do this then you report them to the authorities. Drop the FBI a dump of accts and maybe some of these guys /girls can get picked up before they pull a stunt like we have seen with be-headings to mass shootings.
The governments trolling is not working and it seems that more and more of these accounts keep popping up. I mean hell, Juni’s on his 103’rd acct right?
Derp.
Just do a good job.. No half ass attempts.. And remember.. I am watching you Daeshbags!
K.
OPSEC In the Post Snowden World
OPSEC:
Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information
~Wikipedia
I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people out there today concerned about their privacy or their security in communications will utterly fail in the end because they lack OPSEC awareness to start. Here are some key concepts for you all to consider as you download your new fresh install of TAILS with a vulnerable i2p instance and begin to wonder about the security of the product.. I will give you a hint… Unless you consider all these things you will fail at your security machinations.
Technology and OPSEC:
So you have a Laptop you bought new from your vendor and you have downloaded TAILS so you are good to go right?
No.
Consider these things before you begin your super sekret affair online…
- Can you trust that that laptop doesn’t have some extra chips or other hardware installed? Have you taken it apart to see?
- Are you even capable of looking at the mainboard and determining what if anything does or does not belong there?
- Do you in fact own the pipe, the DNS, the router, or anything from the cable modem on your desk provided to you by the cable company? If not, then how do you know that the network is not already compromised?
- The same goes for the hardware router provided to you as well as the COTS Linksys router you bought
- Can you trust the supply chain of the TAILS instance you downloaded to start with?
- Can you sift through the code of that TAILS instance yourself to check if there is rogue code that allows for compromise and surveillance?
- Can you truly say you are a master of your GPG/PGP public and private keys and processes to encrypt and send email to one another?
- Can you say that you securely transmitted your keys to the other party in the first place? Or that your private key is not already compromised from an end point CNE attack?
All of these things are compromise-able and no one is a master of all things. Unless you build your own laptop from the ground up with hardware you checked at every step AND you never let it out of your sight then you cannot say that the supply chain has not been tampered with. Thus your security measures are potentially void.
The same can be said about the operating system on the laptop. Did you code it? Have you vetted it yourself? Sure there is open source but really, unless you do this yourself how can you be sure? You can’t really so you have to have a measure of trust that it’s safe. But hey, now we are talking about nation state efforts to listen in and watch everything you do online so really it’s game over right?
There is no sure thing here. So you have to take this stance from the start that you are likely already compromised. You can now either attempt to game the system and have some modicum of security by using OPSEC and technical means or you can just say fuck it and not care. If you are in the former category then you can move on in this post and perhaps consider some other things you need to protect your secrets. If not, you can stop here and go back to your blue pill existence.
Nation State Surveillance and YOU:
So you have decided to read on.. Gut gut…
OPSEC is more than just technical means. As you can see from the above nothing technical can really truly be trusted. Just as no one really can be trusted in reality. I am willing to bet many of the LulZSec gang trusted Sabu didn’t they? I mean after all they made some stellar OPSEC failures in trusting him that ended up with them in prison now right? They also had technology fails too, I mean Sabu was pinched when he logged into an IRC without a proxy with his own IP so there ya go. It was partly technical failure and partly human failure. Had there been a bulletproof technology to obfuscate himself Sabu would not be in the witness protection plan now and the kidz would not be in the pokey right?
So let’s consider some other things outside of the technical 0day and hackery bullshit.
POSIT: The technology is already owned and there is nothing you can do about it.
CONSEQUENCE: All your communications even encrypted by these means are compromised
RESULT: Nothing you do or say should be trusted to be secure
So what do you do then? Do you just give up? Or do you try other means in a layered approach to protect your security? Let me give you a hint; “it’s the latter” However you have to be diligent and you have to follow some ground rules. Given that the documents from the Snowden trove show that if you just use crypto for your communications, no matter how banal, you are now a target of interest and collection you have to consider using the Moscow Rules as a daily routine.
Now does this mean you are really an enemy of the state and in grave danger? No. However, the precedent has been set that we are all under scrutiny and at the whim of whatever algorithm that flags us for traffic on the wire as well as any analyst who might take an interest in you. What’s worse is that many times one might find themselves under suspicion for who they talk to or what they may say online in today’s world and this is where we all should be very afraid. The Fourth Amendment is in tatters kids and what the state considers as papers or personal items does not consist presently of your phone or your computer files according to many in power.
It’s Moscow Rules:
- Assume nothing.
- Murphy is right.
- Never go against your gut; it is your operational antenna.
- Don’t look back; you are never completely alone.
- Everyone is potentially under opposition control.
- Go with the flow, blend in.
- Vary your pattern and stay within your cover.
- Any operation can be aborted. If it feels wrong, it is wrong.
- Maintain a natural pace.
- Lull them into a sense of complacency.
- Build in opportunity, but use it sparingly.
- Float like a butterfly, sting like a bee.
- Don’t harass the opposition.
- There is no limit to a human being’s ability to rationalize the truth.
- Pick the time and place for action.
- Keep your options open.
- Once is an accident. Twice is coincidence. Three times is an enemy action.
- Don’t attract attention, even by being too careful
So there you have them. This is most likely a fictional list that was used in some book or other but the CIA and the Spy museum seem to have grabbed these as useful. These come obviously out of the old days of Spying in Moscow. Which coincidentally had so much surveillance on their native populace that I have begun to feel a strange sense of deja vu lately about our own affairs of state. Of course we don’t have the omnipresent fear of being disappeared.. Oh.. Wait.. Never mind…
Ok so we don’t really get disappeared so often but we can be taken into custody, our things searched, and our lives ruined by the government all on alleged information that you cannot see because it’s been marked as “Secret” with a handy NSL attached. I guess maybe that is a kind of disappearing huh? Not exactly to the Gulag Archipelago but close enough to ruin you. I know some of you out there probably just thought I put on my tinfoil hat there but I have personally seen this shit in action and it ain’t pretty.
Anyway, back to the purpose here, OPSEC is what you need to practice and you have to make it second nature if you want to keep your secrets secret. Unfortunately if you are in the sights of the nation state then you are pretty much fucked. However, you CAN make it more difficult as long as you are diligent and smart about it. So here’s the short and sweet of OPSEC for you:
- Trust cannot be implicit in technology or people
- Study up on disinformation and other obfuscation techniques and use them as a kind of chaff to protect your real comms
- Understand the adversary, their motives, their techniques, and their weaknesses
- If you use a technology be sure that you are it’s master
- Secrets are secret (First rule of Fight Club) keep them that way
- COMPARTMENT THE EVERYTHING!
- Layer your encryption techniques and if possible use a OTP
- Go read up on TSCM
- Go read up on Counter-Surveillance techniques
- If they can’t get at you technically they will send in assets to get close to you
- If they can’t get assets close to you they will use your friends
- If they can’t get your friends, assets, technical measures to work they will go after you in other ways (think legal issues)
I bet some of you are thinking I am a real paranoid freak right now. Well, welcome to the new age of the surveillance state kids. Get used to it. YOU wanted to play this game and now you are. Welcome to the big leagues.
K.
Dropping DOX on APT: aka Free Lessons on OPSEC!
“And gentlemen in England now-a-bed
Shall think themselves accurs’d they were not here,
And hold their manhoods cheap whiles any speaks
That fought with us upon Saint Crispin’s day.”
“Prince Hal” Henry V Act 4 Scene 3 ~William Shakespeare
Stuck in The Middle with APT and YOU:
If you are like me then you too have to look at the feeds from FireEye, Crowdstrike, Mandiant, and others on a daily basis for my job. The job that I speak of includes fighting APT at times and having to keep executives aware of what is going on as well. Lately though, since the drop by Mandiant on the “China problem” (aka CN actors 1-13) there has been a huge uptick in reports that try to do the same thing, i.e. name and shame those attackers as a means to an end. That means to an end I feel 99.999% of the time is to garner attention by the media and to increase market share.
Others may have reasons that are more closely aligned with “America FUCK YEAH!” and may be well intentioned but misguided to my mind. I have seen the gamut of this and I too have played my roll in this as well. I have dox’d players in the Jihad as well as nation state actors (mostly wannabe’s) on this very blog and have watched as a pile of nothing really happened most of the time. These big companies though that sell “Threat Intelligence” seem to really mostly be driven by attention and marketing appeal for their services than nation state concerns in my opinion when they drop dox on B or C level players in the “great game” and sadly I think this is rather useless, well, in the great game that is, not in the bottom line of lining their pockets right? …But I digress…
Let’s face it folks, we are all subject to the great game and we have little to no power in it on the whole. The APT and the nation state will continue their games of thievery and espionage. The companies selling services will ubiquitously use their “insider” knowledge gathered from all of their clients DNS traffic to generate these reports and market them to garner more clients and we, the people at the end of and the beginning of this process will just have to sit by and get played. Sure, if you are running your program right in your environment and you are getting good threat intelligence telemetry at the least, then you can attempt to staunch the exfil flow but really, in the end that flow is after the fact right? The PWN has happened and you are just being reactive. From this though you feel a certain amount of angst right? So when some company drops dox on some third stringer in China you pump your fist in the air and say “FUCK YEAH! GOT YOU!” and feel good right?
Yeah… I have news for you. It doesn’t mean anything. It will not stop it from happening. In fact, the services you just paid for that just shamed Wang Dong just taught him a valuable lesson….
FREE OPSEC LESSONS!:
What Wang and the PLA just learned is that Crowdstrike offers FREE OPSEC TRAINING! If any of you out there believe that this will curb the insatiable Chinese Honey-badger they have another thing coming. While it may feel like a slam dunk it is really just a Pyrrhic victory in a larger war while it is really in fact a marketing coup. The Chinese don’t care and in fact all they will do is re-tool their exploits/ttp’s/C&C’s and learn from their mistakes to become more stealthy. Really, we are training the 3rd string to be better at their job when we drop all this stuff on the net. This is a direct forced reaction to their being outed instead of attempting to just share the data in a more covert manner within the IC community or other more secretive channels where it could be used effectively in my opinion.
So yeah, some PLA kids got a spanking and now they are known entities but really, this will not stop them from doing their job and it certainly will have an effect of changing their operational paradigms to be more subtle and inscrutable. While the marketing goal has been fulfilled I see really little other value in doing this ….unless there is a greater unseen game going on here. Some might imply that there is another dimension here and that may include disinformation or other back channel pressures by the government. In fact it was alluded to by the Crowdstrike folks that the government is fully aware and part of the whole “process” on these. So, is this also a synergistic tool for marketing AND nation state agendas for the US?
Eh… Given my opinion of late of the current Admin and the IC, not so much. Nope, I think in the end I will stick to the opinion that this is nothing more than marketing smoke and magic…
I hope the third stringers appreciate the free OPSEC lessons. I mean gee, the going rate for classes is pretty high.
K.
ASSESSMENT: Edward Snowden KGB Asset
THE SNOWDEN AFFAIR:
Since the revelations began and the man without a country odyssey started all of our lives have changed at a fundamental level regarding our digital and private lives. The now million plus document trove is being parsed out by Glen Greenwald and others for the public to get a look into the inner workings of the state surveillance apparatus much to the consternation of the IC as well as the government and the dismay of the public. However you look upon Mr. Snowden and his choice you have to admit that the information does lend an insight into the great potential for abuse of the apparatus that the NSA has put together no matter what they may tell you they are doing or not doing to protect us. You see the point is no matter what alleged safeguards and altruism may lie within the apparatus and it’s employees it’s still ripe for abuse that will never see the light of day because it’s all classified and codified by the government. This is the point of the exercise as I see it from Mr. Snowden’s point of view and the aegis behind his doing what he did. Of course from day one darker minds would make assertions that there were darker geopolitical machinations at play and this was all just a dastardly plan to destroy us as a country. Of course as the passion play played out it was first China, the go to country for all our woe’s of late (APT etc) but as time wore on and Snowden found a perch in Russia, it’s now “clear” to some in the government that the plot was in fact Russian all along.
KGB ASSET:
Mike Rogers has been the bell ringer on the idea that Snowden from the get go was in fact a handled and groomed asset by a foreign power. His most recent bellowing without any real evidence is that Snowden was in fact an asset for Russia from the start and furthermore that all of this was done to damage the US and seek primacy once again on the international stage. Of course as I mentioned already Mike cannot offer any evidence and he alludes to “secrecy” of the data but in reality until you have proof that you can emphatically state and present the people it’s all just wild speculation and a form of conspiracy or propaganda in and of itself. While it is possible that Snowden was from the start an asset of the KGB FSB, the evidence thus far for motive, methods, and follow through are somewhat thin and I cannot go on the record as thinking he was handled from the start by Russia or any other nation state. The fact that Snowden ended up in Russia at Sheremetyevo may in fact be because of the machinations of Assange and Wikileaks brokering the deal to get him there and then to get him allowed into the country not as a plan all along. There is more evidence to say that this is in fact the case then there is of any KGB FSB actions.
OCCAM’S RAZOR:
Using the paradigm of “Occam’s Razor” here let’s run through the possibilities on whether or not the claims being made by Mike Rogers and others out there that this was a carefully planned operation that cultivated Ed Snowden to become the largest leaker in history.
- Ed Snowden is a naive individual who became through a sequence of events, an administrator within the IC networks and began to see things he thought were illegal and immoral
- He used his knowledge of hacking and technologies to accumulate data through his own administrative access and social engineering
- Once he saw the data he decided to leak all that he could and after seeing what happened to Manning made a plan to go to a country that in all the spy novels is easy to infiltrate and ex-filtrate out of
- The NSA itself had poor OPSEC and threats from insiders were poorly covered thus making this possible (proven to be the case)
- The NSA could not even keep track of internal access and exploitation (proven to be the case)
- He contacted the press and was turned down by some until he met Greenwald and Poitras who then planned with him how to release the data and to firewall Snowden off
- While in HK it became clear he could not stay there once the NSA/USA/UKUSA and other apparatus began working in the background to extradite him
- Poitras, Greenwald, and then Wikileaks ex-filtrated Snowden out of HK and to Russia where a brokered interim solution of the airport no mans zone was at least possible
- Snowden is a prize for the
KGBFSB after the fact from not only an intelligence perspective but also a political one that thumbs its nose at the US (a win win for Putin)
- Edward Snowden was a carefully orchestrated long term asset by the
KGBFSB trained by them to infiltrate the NSA and then use his domain admin/root access to steal them blind, exploiting their logical and technical vulnerabilities who they then ex-filtrated to HK and to Russia as a smoke screen for their own operational cover
- Snowden was handled by
KGBFSB for years while coming up the ranks as an UN-credentialed cleared individual clearly taking advantage of the US’ lax clearance and oversight process post 9/11 - Snowden was in contact with Russia from the start and is a consummate operator perhaps even a cleverly created cutout sleeper agent
- Once gathering all the data Snowden then passed it to Russia for them to digest and then leak to the world to cover their own operations and shame the US
- Snowden is now a hero of the state in Russia and will get a hero’s treatment with access to all that Russia can offer in the post Soviet Oligarchy (inclusive Anna Chapman visits)
Hmmm is it just me or does the razor only really cut one way?
ANALYSIS:
My take on the whole affair is that Snowden was not a paid/cultivated/handled asset of the KGB FSB nor do I think that he was aided in any way by Russia in carrying out this leak/exploit. What I do think is that he is naive but also that what he was seeing, what we are all now seeing today in the news made him feel that the accumulation of power in a central secret body was anathema to freedom and the American ethos. As we have seen in the news there have been many things that the government has allowed, even shall we say promulgated, that are clearly violations of the US Constitution no matter the inveigling that might occur by those in power as to it’s legality. So I for one can see why someone like Snowden might do what they did outside of their own propensities for spy novels and a sense of right and wrong.
The realities are that no matter the attestations by those running the programs and their need to use them, there is always a chance of their abuse and subsequent burial of the facts through classifications and National Security letters as we have seen these last years. Were egregious abuses happening and are they still today? I am sure there are some, after all this is nothing new and all you need do to confirm that is Google “Quis custodiet ipsos custodes?” or look just to recent history with the Plame Affair to see how abuses can and have happened. So is it really outside the pale for someone with a conscience and perhaps an overactive imagination to think that great wrongs are being committed in all our names? I think that while there may have been no abuses “may” I also think that the capacity for abuse and the infrastructure to hide them is easily seen within the current architecture of the IC apparatus of the NSA and their programs. After all, if you want to ask about the idea that if you have nothing to hide you have nothing to fear, I ask you to tell me just exactly how you feel every time you go through a TSA checkpoint at the airport today.
Finally, I would also like to touch on the idea that the governments own hubris and now embarrassment is firing the boilers on this whole blame game that Snowden is in fact a handled asset of the Russians. I think that the NSA/USGOV and IC community feel the sting of their inadequacies as they have been laid bare for all to see. You see, Snowden did not carry out some 3l33t hacking here to gather the data. He used common techniques and vulnerabilities within the NSA and other government IC bodies to steal data and put them all on a USB stick and then walk out with them. It’s a simple trick and the top of that list is actually just socially engineering people for their passwords within the confines of the most secretive and secret IC shops in the world. Now that has to sting a bit wouldn’t you agree? So there is shame all around here on the part of the government and it puts them all in a weak position tactically. The reactions of all those at play seems to be more along the lines of dialogue from a playground spat rather than state or spycraft and it’s sad really. As the immortal words of GW Bush can attest;
“There’s an old saying in Tennessee – I know it’s in Texas, probably in Tennessee – that says, fool me once, shame on – shame on you. Fool me – you can’t get fooled again.”
To me, it seems that Snowden just did what he did because of a myriad reasons that also include a certain amount of self aggrandizement. However, I can point to things in our own history and to popular media that may explain why someone might do something like this on the grounds that they think it’s illegal, immoral, and against the tenets of the USA. While POTUS is right about how important these types of programs can be in the war on terror and the every day intelligence gathering that every country needs to survive, it should also be possible to have some level of oversight to disallow for abuses of power to happen and happen with great frequency due to over classification. These are fundamental changes that should occur but the reality is that the very nature of the work being done and the culture within it’s halls will stoip any real progress being made. In the end nothing will change and the NSA will continue to collect all the data it can like a giant hoover-matic for later sorting and use.
Having grown up in the era of Nixon though, and other revelations like Iran Contra, I for one not only know that these things will continue to happen but that they have in the past and should be in our collective consciousness. Unfortunately many do not remember and the only entree into such ideas may in fact be cinema… I leave you with this scene from “Three Day’s Of The Condor”
Not everything in cinema is just fantasy…
“scr hrw lgihr kzpzz cwl nci pjwt”
ASSESSMENT: OSINT On NUCLEAR POWER SYSTEMS
NUCLEAR FACILITIES AND POWER GENERATION:
As a second assessment on my power generation and OSINT series I decided to take a look at the security around the nuclear reactors within the US. Currently there is a lot of talk around the grid and the cyber warfare around attacking our power systems but not so much about the nuclear end of that equation. In looking at the bigger picture though, the nuclear facilities should also be on the top of the list for these types of attacks and to assess just how much connectivity there may be to the internet. However, in my assessment I came across much more data surrounding information that not only could help an attacker in attempting to access systems but also data that could help in a successful attack against facilities physically.
Of course the threat assessment today for nuclear facilities per the government where Jihadist terrorism is concerned is that they are not interested in nuclear reactors because they would not be a spectacular event as attacks go. I think this is a stupid mindset or group-think mistake on the part of those who present it as fact. Terror is terror and though a meltdown or a significant release of radiation from a facility would not rival a 9/11 it could cause mass confusion and perhaps result in some deaths. Mostly though, an attack no matter the amount of casualties would so fear and perhaps garner attention that those seeking jihad would desire. In either case, the assessment here will show that perhaps there is data out there that should not be and that perhaps we all should pay a little more attention to what we place on the internet.
OSINT DATA FOUND:
Once again just by using Google searches a lot of ancillary data as well as reports could be found on the NRC site. Whether or not these files are meant to be available online is the question and in most cases perhaps the data is considered to be protected behind HTTPS and within databases that “shouldn’t” be able to be spidered and cached by Google. Some of the data found was in fact in public files that were not marked for security at all while yet still others had been marked FOUO or NOFORN. Some of those documents had in fact been declassified (struck through and enclosures stripped) so they do take pains in most cases to remove data that would be detrimental if it got out. However, there were many files that were available that gave a lot of data to a would be attacker.
Included in the finds online that could just be clicked and downloaded were:
- After Action Reports AAR’s from FEMA and NRC together (table top exercises around nuclear accidents and terrorism drills) that contained remediation plans
- Homeland Security evaluations of sites
- Emails between NRC and companies running facilities
- Emails between government bodies (DHS/NRC/DOE) on sites and systems
In fact there’s a lot of different data to look through and I am not an expert on nuclear facilities or reactors but I am pretty sure that data on their weaknesses and their plans could be of use to an attacker.
Where current and decomm’d reactors are in the US and how many reactors per
Potential weaknesses in systems
Electrical systems diagrams for power output and grid
Systems online and their settings
Maps of facilities
Blueprints of reactor facilities
Electrical diagrams of control systems
Electrical diagrams of air systems
ANALYSIS:
My analysis for this OSINT assessment is the following:
- There is enough data out there to be of use to an attacker
- The NRC and other government bodies are leaking data that perhaps should not be
- In some cases in fact NOFORN data was available as well as FOUO online through Google searches
- While most of the physical security testing (red team) data was unavailable online it is still possible to see where vulnerabilities lie with data found
- During this assessment at least no direct data such as passwords to remote SCADA/ICS systems were found in ftp sites (WIN)
It is my suspicion though that with the amounts of emails available a concerted phishing campaign could work very well on the NRC and the companies that run these facilities so one hopes that their OPSEC and technical systems might stop them. Reactors may not be a high value target for the jihadi’s but they aren’t the only ones who would be interested in such vulnerabilities. Given too that there have been a few recent attacks physically on power systems this should be something that we all should care about. We should care about it more as well because these facilities are large producers of megawatts and if taken offline could cause some real problems for the nation or portions thereof.
Another thought that I had was of the concentration of the facilities in the eastern half of the country. A concerted attack to damage them or to cause radiological releases and SCRAM’s could cause large swaths of the country to be under threat of radiation fallout from releases in concert. Of course this would be a very big task and the likelihood is small but it could be something someone would try. With the data available from this sampling one could extrapolate that more searches and a campaign of hacking could gather much more intelligence on the targets. All of this though just points to the fact that there is data out there and that perhaps processes in it’s protection is failing in certain quarters.
K.
Krypt3ia 