Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘OPSEC_FAIL’ Category

OPSEC and 2020

leave a comment »

 

OPSEC FAIL: IC and MIL LinkedIN Pages:

I recently had a comment on a post on LinkedIN (I post crazy darknet shit on there for giggles) that I did a double take on. The comment was from a profile of a woman who claimed to be a “Counterintelligence Agent” openly on the site. Now, if there is one thing about IC club I know is that if you are in IC club, you don’t talk about IC club openly like this unless you are retired. So I just had to look into this further. As I began to do some OSINT on the profile and the name attached I quickly came to the conclusion that this person was not at all what they claimed to be online. In fact, within a couple minutes of just Googling the name I started seeing all kinds of crazy things.

 

In the end the conclusion for this profile was that it was either a disturbed individual or that it was a cutout account for some kind of fuckery and I stepped away at that point. But, it got me thinking… Are there legit people out there using LinkedIN who are actually in the IC and posting that fact online now? Would that not be an EPIC OPSEC faux pax? Well, I decided to go look and see what I could find out there. What I found led me down a long and winding derp laden path and I bring it all to you now gentle reader. The portents of all this though lead me finally to ask the question; “Ok, if these people are online giving away their data, what are the RNC and DNC people doing post 2016?”

Well… Short answer is they are doing the same thing and giving the Russians or any other actor a plethora of data to use in spear phishing campaigns for 2020.

First though, as I started talking about, the IC seems to have a problem with OPSEC and I just don’t understand how these people are not being talked to. Take a look below and see what I mean here…

 

 

 

 

 

I did some backstop work on these and they seem legit. So my question then is how are they allowed to put this kind of information out there? Why are they doing it? I mean sure, this site is about jobs but, they are currently in a job and all of them should be more security conscious about putting their details out there I think. I mean, the people who are on protective detail for the president?

Really?

Of course then there are INTERPOL people and the like. What are they thinking? If I were looking to target people to attack with phishing and or to just watch and wait for an opening this would be my first easy stop to locating those people. I mean sure, the Chinese have all our SF86’s but geez! I also found more than a few military types who are in CI and other areas of the “secret” space that have current profiles with pictures and details that would make it fairly easy to get their information from open source and to target them as a nation state. The worst of the profiles though was this one:

 

WHAT THE? …. I can’t.

Yes, this woman is danging deets out there and if indeed is married to another CI agent… Whoa. How do these profiles even get out there? How is it that the Military is not teaching OPSEC classes and or looking at pages like this to stop this kind of thing? I do know there is a group that does this but wow. In this case I backtracked her as well and yep, I have her address etc now so I could easily target here and her spouse.

2020 RNC and DNC Attack Surface:

So, following this line of thought I started looking at profiles of people in both parties committee’s on LinkedIN. I decided though, to focus on those who would likely have admin access as a part of their job and I was not disappointed in finding a rich target environment. It turns out there are a fair bit of them out there oversharing as well. One would think that maybe after what happened to the DNC in 2016 these guys might, ya know, not want that kind of detail out there but hey, they are only in IT Sec and IT right?

 

 

 

 

I guess if you are a CSO or CTO you might show up on the page of the org itself but really, I would not even recommend that for some of these people. I mean, the average executive is not usually that security savvy and they are a prime target for adversaries. In the case of the DNC hack the GRU seems to have started with high visibility people in the campaign but really, if one were looking for a toehold anyone with rights would be a choice target right? I went down this rabbit hole a while and there are plenty of targets out there giving their names, their personal sites, details, and accounts such as Twitter and the like. All of this information can and likely will be used by adversaries looking to get into their networks so why are they posting all this out there?

Are we all just inured by social media?

 

I mean at least this guy tried to hide is real full name but DERP it was in his profile URL! Oh and the pic at the podium is just precious too. At least he tried though huh? This guy though is one of their “cyber” security engineers and you’d think anyone in security would have a better understanding of how not to give all this information out to anyone who wanted to abuse it right?

Guess not.

Putting on my prognostication hat, I suspect all of these people have been targeted or are on lists to be targeted by those out there looking for this kind of intel in the open source world. All you need to do is then carry out the full OSINT and you can get a pretty detailed accounting of their lives, their friends, their families, their proclivities, etc. All of this can be used against them in a campaign to subvert them and their access.

Sadly, this is the state of things.

K.

Written by Krypt3ia

2019/01/28 at 13:58

Posted in OPSEC, OPSEC_FAIL

Spies Using Social Media? No. Way. *Eyeroll*

leave a comment »

Screenshot from 2016-07-31 07-15-27

THIS rather breathlessly hyperbolic report on JTRIG using social media and hacking to spy on, or manipulate people, governments, and movements as well as gather INTEL on them had me eyerolling. Yes, this is new in that social media is new as is the Internet and hacking but really, the techniques of manipulating populaces for political and espionage advantage are nothing new. The spy agencies out in the world perform these PSYOPS and disinformation operations all the time and in the olden days kids they used to manipulate the press, then TV and the press, then INFOTAINMENT. There is nothing new here…

What you all have to realize is that now YOU are more easily hackable, your information more able to be stolen or accessed by writ of law, or YOU give it away by using applications that have been expressly created to give the agencies access to you as in this URL shortener that GCHQ used on the protesters in the Arab Spring. You all have to realize that unless you are code auditing everything you use on the net, then you too could easily fall prey to information leakage or outright compromise if you are a target of the “community” at large.

I would also like you all to take note that those who may support Wikileaks, or be a member of say Anonymous also were targeted and used in this operation by GCHQ as well so if you are an Anon, you too have been targeted rather directly (like the citation of Topiary’s conversations) so you too are not safe even if you are trying to use good OPSEC, which, it turned out, and I have written about in the past, you were not. Oddly enough though, the Snowden leaks on JTRIG also show how the same issues are at play for those operators within NSA/GCHQ as well. Trying to keep sock accounts straight, know the language and the patter, as well as the political issues is problematic when you are doing things on a larger scale (trust me I know) so at least you have that going for you right?

Heh.

Wake up people.

OPSEC… Live it.

Dr. K.

Written by Krypt3ia

2016/07/31 at 14:30

Tweeter, Jihadi, Soldier, Spy: OSINT in the Twitter JIHAD

with 3 comments

snapshot43

 

IS and the Propaganda Wars

Since the time that Zarqawi created AQI and got UBL’s approval the latter day ISIL/IS/Daesh group was a rag tag crew of angry guys looking to blow shit up. Post Abu’s passing and with the rise of Abu Baqr, the ISIL/IS/Daesh group has grown not only in numbers but also savvy on messaging and recruiting. Of course some of this has to do with the shifting nature of the region given all the politics and US screw ups since the invasion in 2003 that allowed for the group to coalesce into what we have today running amok in the region. Once the group really gained traction though, and AQ even turned their back on them for being too brutal, the IS became a force to be reckoned with in the area but now they have spread onto the internet as a means of propaganda warfare and recruitment. Much to the United States chagrin they have been all too successful in propagating their message as well as giving fodder to the main stream media to roll out the fear machine and set it to eleven.

Twitter Jihad

f6d410a8-0af6-4139-94bd-93c9a1cf8627_16x9_600x338

Primarily the IS took the model that AQAP had started and learned what AQAP did not. IS is much more capable at propaganda and slick messaging than AQAP ever was. IS has even now started it’s own magazine “Dabiq” which is much like the Inspire magazine but seems to be much more art directed than Inspire was. Now the Daesh has even broken into full blown advertising with small propaganda films that film school students probably look at and swoon over for their slick nature and editing. These things though do not have as much reach without the Twitter Jihad that is going on in tandem and as their medium for dissemination.

Twitter has been the battle ground of late in the war of ideas between IS and the world. Of course the US has decided that either the accounts on Twitter should be banned (or maybe that is just Twitter making that decision?) but it seems that the net effect here is a great game of whack-a-mole while the world burns. The US has frankly been stymied to come up with a good solution to the problem of the propaganda that IS has been using to get the ummah to come to the jihad but recently they decided that trolling might be the answer they need.

turnaway

Of course what I would call trolling is not what I am seeing out of the Department of State’s account at all. I am seeing reasoned arguments that are aimed at unreasonable individuals or those who may have some mental issues that need addressing. By being logical and refuting the call to this particular type of jihad you are just going to maybe get a lock on the rational individuals. However, Daesh wants only the cream of the crop in the whacknuttery department to join their ranks or to self radicalize and act out their fantasies here in the West. Much like I would assume the attacker from yesterday in Canada did with his shootem up at the capitol.

Frankly, I have no solid answers on how to respond to all of this. I would love to see some plans in action that would stem the tide here and perhaps staunch the flow of propaganda and jihad on Twitter. So far the only thing I can come up with is what you will see below for those who are either interested in watching the great game at a larger scale or perhaps to get inside of it a little more and work towards some asymmetric solutions. Perhaps the likes of Anonymous and others would truly “Troll” these players and drive them to drink, spending more time wasting time setting up accounts than actually placing their crap online.

… Just a thought…

On the other end of the spectrum this will be a little primmer on perhaps how you might use some tools to get closer to these guys. By getting closer I mean more in the HUMINT side of the house because as we are seeing they are learning that their metadata is on the Twitter as well. A recent manual that came out from Daesh instructing the brothers on how to stamp out their metadata and specifically called out the fact that geotags had been a problem. Well, as you can see at the top of this post that yes, this is a problem for them. However, I would posit that unless you are watching them real time somewhere in the bowels of Twitter HQ the latency issue becomes a key factor in whether or not we can send a drone and a hell-fire up their asses.

metamanual

Clearly they are learning from their mistakes and it seems of late that the Bellingcat is out of the bag here with regard to things like looking near real time at their metadata through their posting of images and tweets from places like Raqqa and elsewhere. It was this manual that prompted the post you are reading now in fact. After looking at all the data and seeing the immensity of the accounts online now that are jihadi related I think that it’s just too much for the government to handle. For that matter I think it is certainly too much for the private companies to handle as well and once you come to that conclusion you then have to think about how well they don’t all talk to each other. In the end there is a morass out there and from all intents and purposes today from what I have seen the government has no idea what to do about it. There’s just too much noise to even get the signal and soft trolling is just pathetic.

Recon

So it comes to this, I have decided that the best way of creating some tension that might cause pain to the Daesh is to give you all a taste of recon and OSINT on the Daesh. There are many tools out there you can work with and certainly there are fools with tools out there but I would like to see some smarter approaches here. So here goes…

Some tools:

  • Recon-ng
  • Mentionmap
  • Maltego
  • twiangulate
  • twtrland
  • EXIF tools (online and off)
    • regex.info
    • Foca
    • A raft of other command line tools in live distro’s for forensics

It’s a toolbox really and you put the right tools in there that you like and do the job. I am sure you all out there have others you like. These are just a few of the ones I use daily for my fun and games. Lately though I have been leveraging Recon-ng for their twitter features and will be expanding even further into the youtubes and other modules that they have for this kind of work. Suffice to say that you can really profile people on Twitter for example with just this tool alone. Below are some of my outputs for you to see.

snapshot12Supporter in Raqqa tweeting 10.17.2014Recon-ng of user on Twitter who is a player within Daesh and is in Syria

snapshot16Another user logging their connections including their DM connections

AbuAdamAlAmrikiA map of a user and who they talk to/mention with frequency as well as hash tags

snapshot41Supporter in Raqqa tweeting 10.17.2014

 

All of this data is pretty easy to get once you have the right tool sets and a good place to start looking. I leveraged a couple of accounts that I knew of (Adam Gadhan and Juni Al Britani) but you can use others. I will say though once you start spidering ou you will see a flood of accounts out there that are like minded. The trick though is to locate all those users in country and who are real players in the Daesh palooza and this is where you have the analysis phase of the game. As I have said in my posts about Threat Intelligence, it’s all about the analysis and product. If you don’t carry out the analysis well it all means nothing.

PS.. if you don’t know the tools go learn. I am not here to teach you how to use them. Buy the ticket… Take the ride.

Analysis

Analysis of the data here is the part of the cycle that takes a human being. Someone who can make connections as well as verify them. Tools are great but there are many fools with tools out there as I said above so if you use the tool but you fail in the analysis then you will give bad data in the form of connections that are incorrect. In the case of the Twitter jihad you have to have some idea of who you are dealing with. Are you in fact dealing with a real player who is in Raqqa or Ramadi or are you dealing with a wannabe in the US? You have to actually look at all the traffic, understand the language, and the psyche to make any real headway here. Just grabbing user names won’t do and it certainly won’t do if you cannot even Google translate a bit of the language to even have an idea of what is going on.

By analysis of the connections and reading the tweets you can then react appropriately by:

  1. Passively collecting intelligence
  2. Actively collecting intelligence
  3. Actively degrading their activities through disinformation operations
  4. Actively reporting their activities to authorities (thus degrading their capacities through blocks)

I am advocating all of these things now because this is just Twitter. This stuff is public to begin with and as such it is not like they are planning operational details through Twitter. They are instead advertising really and that to me is up for grabs for the common folk on the internet to attack. I am sure some out there will have a hissy about all of this (Flashpoint, lookin at you Evan you dickweed) but I don’t give a crap. This stuff is just polluting the weak minded and any way to stop it in my book is sauce for the gander.

If you are going to do this then you had best learn OSINT and intelligence analysis. If you want to just scrape names and pass them to Twitter to block, fine, but at least give them the real players and not some hapless reporter ok? Do the work, learn the tools and make a difference.

Asymmetric Response

So what I say to you all out there is pick your plan and go with it. Give the daesh a pain in the ass. I know that in the past Anon’s have been threatening all out war on the jihadi’s on Twitter and I have seen a bunch of nothing come of it. Doxing these guys will only work if they are in the US or another country where they can be picked up.I do fully support the idea though that if you are going to do this then you report them to the authorities. Drop the FBI a dump of accts and maybe some of these guys /girls can get picked up before they pull a stunt like we have seen with be-headings to mass shootings.

The governments trolling is not working and it seems that more and more of these accounts keep popping up. I mean hell, Juni’s on his 103’rd acct right?

Derp.

Just do a good job.. No half ass attempts.. And remember.. I am watching you Daeshbags!

K.

Written by Krypt3ia

2014/10/23 at 13:24

ASSESSMENT: TEAM JM511

leave a comment »

Screenshot from 2014-03-14 10:04:48

JM511 Hacking since at least 2004:

There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.

Screenshot from 2014-03-14 10:31:54

To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.

JM511 Today:

JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…

Screenshot from 2014-03-14 11:47:34

Screenshot from 2014-03-14 11:31:31 Screenshot from 2014-03-14 11:31:16

JM511 aka   فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:

JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.

Screenshot from 2014-03-14 10:58:40It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (jxffh@yahoo.com) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.

UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.

Screenshot from 2014-03-14 17:12:44

Screenshot from 2014-03-14 11:36:25

Screenshot from 2014-03-14 10:30:07

Screenshot from 2014-03-14 10:48:32Screenshot from 2014-03-14 12:32:12

So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s  you and someone else’s money that will get you some jail time I suspect.

ASSESSMENT:

My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.

K.

Written by Krypt3ia

2014/03/14 at 16:32