Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Ranty Rant’ Category

Dear Newt You Fat Republican Fuckstick… Don’t Talk About Shit You Have No Concept Of

with 3 comments

6238571355_fedaac5abe_z

CYBERWAR and MOON BASES FOR EVERYONE!! Vote For MEEEEE!

I don’t know about you, but when I open up the feeds and see all this puffery by Newt on Cyberwar as well as taking on Iran my bile rises and the blood pressure skyrockets. This hippopotamic fuckwad really really really shows me just how piss poor our country as a whole, is incapable of governance because they are stupid enough to even consider a fucknut like him for office.

Really Newt? You want to unleash digital hell on anyone and everyone because “maybe” we got hacked by Iran or China? I won’t even try to go into the whole attribution problem with you because I know you can only really understand the words Menage a Trois (oh yeah good luck on that fat bastard) It’s useless to even try isn’t it…

What’s even worse to me is that all of this cyber-pandering and disinformation from Newt and others on the “cyberwars” has many just believing their shit. Know why? Because they have NO FUCKING CLUE how it all really works.

Remember kids, the Senate says that Pizza is in fact a vegetable! (No fucktards, it’s a fruit.. Tomatoes are a fruit)

The computer is just a “deep magic” facebook machine that costs two thousand dollars from Mac.

That’s why.

The blind leading the stupid leading the mentally challenged.

To The Infosec Community:

This shit has to stop. The Fuddery and the puffery with the likes of Bumgarner and his “Cyber Peace keepers” must be nipped in the bud or sooner rather than later we will be faced with a real crisis as someone aims real world bombs because they “think” they got an attack from a proxied box in China or Tehran.

I have railed about this before over the media hype cycles and the lack of will on their part to really perform due diligence where our realm is concerned. I have written fiery diatribes and I have chided everyone.. And most of the time I get “well, there is nothing you can do about it” back from people in the game as well as outside it.

It’s time we as a community formed something akin to FAS.org with teeth. We are speeding toward epic cyber-douchery here and it will not be the likes of a LIGATT.. Instead it will be the military and our government (cue Newt and his cyberwar first strike doctrine) carrying out actions half cocked because they “think” something happened and they “think” they know who did it. All the while the lap dog press will lap it all up off of the floor like so much Alpo and regurgitate it their media venues to spin the populace into a fervor of approval.

Am I the only one worried about this shit?

K.

Written by Krypt3ia

2012/01/27 at 13:29

Posted in Ranty Rant

The Son of Stuxnet… Methinks The Cart Be Before Ye Horse

with 2 comments

My dear dear lord,
The purest treasure mortal times afford
Is spotless reputation—that away,
Men are but gilded loam, or painted clay.
A jewel in a ten-times barr’d-up chest
Is a bold spirit in a loyal breast.

Mowbray, Richard II Act 1 Scene 1

 

 

As fate would have it, today I saw a tweet that said Symantec had a paper coming out on “Stuxnet II” I surfed on over and read the document and what I was left with was this;

“We rushed to judgement here and wanted to get this out to get attention before anyone else did.. Here’s STUXNET REDUX!”

Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…

Code Bases and Re-Tasking

So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?

I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…

Alrighty then, we have a newly released and re-tasked version of Stuxnet that turns out to be just a recon tool to steal data. I find it interesting that they make so much of this and intone that the coders of the original are up to shenanigans again but fail to even beg the question that it could be anyone with the requisite skills to cut into the original code (after it had been laid out for everyone to look at) and re-task it with a new time frame. Please note that there are not the original 0day attacks and multiplicity factors of infection vectors as well as exfiltration schemes.

So, not really so complicated as I see it.. You?

The original code/malware was very targeted and this, well this is really just like any other APT attack that I have seen out there.. In fact, in some ways its less clever than the APT attacks out there from the past.

So, really Symantec, take a step back and mull this all over again before you release.. Say.. Just who else had the code and you were worried about that would steal your thunder here?

Pathetic.

RATS, RECON, & Targets

Speaking of the infiltration/ex-filtration picture, I see from the report that they are linking the RAT to the original worm but have not real proof that it came from DUQU! It was found in situ on the box that they analyzed and make the assumed statement that it was “likely” downloaded by the malware via its comms to the C&C.

Once again I say “Evidence Much?”

You have no basis other than assumption but you make no real clarification on this. Though there is mention of a DQ.tmp file which I assume means that it came from the RAT.. But.. Proof again please? It’s the little things that count here and I see a great failure in your haste Symantec.

Another thing that is bugging me now is that the news cycle is making connections to DUQU with attacks on power grids.

HOLY WTF?

Symantec, DO YOU HAVE EVIDENCE of what companies were “Targeted” by this malware re-hash? If so, you should come out of the closet here a bit because this is BS unless you have proof. I of course understand that you cannot name the companies, but CONFIRM OR DENY that they were all Power companies before making claims and allusions that the media will just shriek at the top of their lungs placing more FUD on the headlines.

Or… Wait.. Now that might be an advantage to you guys huh?

Ponder.. Ponder…Ponder…

Well played….

What it all boils down to for me is this:

Someone re-tasked the malware and stuck a common RAT in it. Until you (Symantec) come up with more solid evidence of more interesting and technical attacks, then I call bullshit on you.

What? No Mention Of APT Here?

Meanwhile, I see that people are assiduously avoiding the APT word… Hmmmm What does this attack really remind one of… APT!

There, I said it.

APT attacks:

  • Infiltrate
  • Seek data
  • Exfiltrate data
  • Keep access

And therein lies the rub. DUQU has a 36 day shelf life. Now, this is good from a foot-printing level AND could be excellent for setting up the next attack vector that could include the component of sustained access. So, the reality here for me is that this was a foot print attempt on whatever companies it was set upon. It was a recon mission and that was all.

NOT STUXNET..NOT SON OF STUXNET!

Had you called it a Stuxnet like attack re-purposing code then I would have had less problems with your document Symantec. Instead we got FUD in a hurry.

Baseless Claims: Pictures Or It Never Happened!

Finally, I would like to see Symantec spend some more time here as well as see others pull this all apart. I want to see more proof before you all go off half cocked and get the straights all upset over an attack that may have nothing to do with the original.

Frankly, I find your faith in rationality disturbing… Symantec…

K.

From John Yoo and Torture to Warrantless Searches of Papers and Effects: Welcome To The Panopticon

with one comment

“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”

Recently, a story has come up in the news concerning certain police departments (Michigan to be precise) have been taking more or less “forensic” images of people’s cell phones and other PDA devices when they have them stopped for traffic violations. Since the reports went live, the Michigan PD has sent out a rebuttal saying that they are in fact asking the citizen if they can scan their data. I say, whether or not they actively are doing it or not, they have the ability to do so per the courts since the loosening of the laws on search and seizure in places like California and Michigan where electronic media is concerned. The net effect is that our due process rights are being eroded in an ever rapid pace.

From Dailytech.com

I. Police Seize Citizens’ Smartphones

In January 2011, California’s Supreme Court ruled 5-2 that police could conduct warrantless inspections of suspects’ cell phones.  According to the majority decision, when a person is taken into police custody, they lose privacy rights to anything they’re carrying on them.

The ruling describes, “this loss of privacy allows police not only to seize anything of importance they find on the arrestee’s body … but also to open and examine what they find.”

In a dissenting ruling, Justice Kathryn Mickle Werdegar stated, “[The ruling allows police] to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or hand-held computer merely because the device was taken from an arrestee’s person.”

But California was not alone.  Michigan State Police officers have been using a device called Cellebrite UFED Physical Pro for the last couple years.  The device scrapes off everything stored on the phone — GPS geotag data, media (pictures, videos, music, etc.), text messages, emails, call history, and more.

Michigan State Police have been reportedly regularly been scraping the phones of people they pull over.

In neighboring Wisconsin, the state Supreme Court has ruled that while such searches are generally illegal, their evidence can become admissible in court if the police demonstrate an exigency (a press need) for the information.

Essentially this ruling offers support for such searches as it indicates that they can give solid evidence and ostensibly offers no repercussions to law enforcement officials conducting the officially “illegal” procedure.

So far the only state to have a high profile ruling against the practice was Ohio.  The Supreme Court of Ohio ruled that warrant-less smart phone searching violated suspects’ rights.  The requested the U.S. Supreme Court review the issue, but the request was denied.

II. What Does the Constitution Say?

The United States Constitution ostensibly is the most important government document in the U.S.  It guarantees essential rights to the citizens of the U.S.

Some of those rights are specified in the Fourth Amendment, part of the original Bill of Rights.  It states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Constitution explicitly states that effects of a person cannot be unreasonably seized without a warrant.

Of course courts must play the vital role of defining what a “reasonable” search is.  But by extending the limits of searches to deem nearly all searches “reasonable”, no matter how tenuous the connection to a suspects detainment, this and several other decisions have created an erosion of the protections in the amendment.

Essentially what court rulings in California, Michigan, and Wisconsin indicate is that the courts believe the Constitution is no longer valid, or that certain Constitutional freedoms can be specially selected for elimination.

The law and our losing the path :

The legal battle over the terms here has come down to the nature of papers and effects where they regard digital media as I understand it. I sat in on the EFF talk at Shmoocon where this very topic was brought up. It seems, that the gray areas of just what is a laptop or a phone as opposed to a “cabinet or desk” is a key factor in how some interpret the legalities of searching someone’s hard drive or phone. In my opinion, they are the same thing. A laptop is a case in which my data is stored, just like a desk or a room, which, you MUST get a warrant to search.

But, that’s just me I guess.

Personally, as the title of this post alludes, I believe that all of this started as soon as John Yoo and the Bush administration began to twist the laws concerning not only torture, but moreover, the use of warrant-less wiretaps. Post 9/11 the US went mad for tapping of phones/data at the trunk level in such instances like the one in the MAE West where they put in the NARUS STA6400. This was the biggie for me because that system hoovers ALL of the traffic, there is no selectivity over it at all. Sure the STA6400 can sift the data, but it needs ALL of the data in order to sift and data-mine. Who’s to say what data becomes important other than those who are running the compartmentalised program that has to report nothing to anyone because it is too secret.

What allowed for all of this to happen and then for the over-reaching to continue was 9/11 itself. Having been in NYC at the towers just before the attacks and working there just after in the hole, I know how many felt after it all went down. We here in the US had only had a handful of terrorist attacks within our borders and those were nothing in comparison to what took place on that day.

We all felt vulnerable and wanted the government to take care of us. We wanted vengeance, and we wanted a take charge guy.

Unfortunately that “guy” was GW Bush and his posse of cowboys who then began to run rough shod over the constitution and other documents like the Geneva conventions. It was from this need to be protected that the American people just went along with the things they knew about, as well as a healthy dose of over classification by the Bush administration that kept us in the dark as to what they really were doing. It was only later, toward the end of the second term that the full scope of abuses were coming out, and yet, the American populace really did nothing. Sure, we elected Obama who made promises to end the nightmare of abuse… But.. He hasn’t has he?

So, here we are in 2011. Ten years post 9/11, and we are finding our rights being eroded by legal positions and decisions that remove the most basic and cherished rights to reasonable searches slipping away.

Who’s to blame?

Us.

We the people have failed to keep in check the actions of the government and in some cases the courts because we have taken our collective hand off the tiller steering this country. Perhaps we really have no hand on that tiller to start simply because we have created a beast that is too big to control or have any sway over. By just looking at the state of affairs today within the political arena, one has to admit that its becoming more and more akin to what it used to be back in the days of Boss Tweed than anything looking like the era of J.F.K.

Simply put, without the people standing up and calling a foul on these types of erosions to liberty, then we have nothing to complain about when the liberties are taken away. On that list is the rights granted to us all by the fourth amendment. The tough thing now though is that where once your personal belongings were either in your house or on your person. Now, those “papers and effects” live digitally not only on your device that you have on you, but also may exist “in the cloud” as well. A cloud that you “use” and is not “owned” by you.

So sure, a cop could ask you if they can look at your phone data. Do they have to say that they are taking an “alleged” forensic image? Perhaps not, but, the thing about the whole Michigan PD thing is that independent reports have shown that they were not asking, they were just taking images when they felt they wanted to, and this is where they run afoul of due process. As far as I am concerned, a file on a phone that is not on the screen as a cop looks at it while it sits in front of him in plain view, is NOT a document that he should just have the right to fish for without a warrant.

Sorry cops… It’s a country of laws, no matter how you try to spin them so you can cut corners.

On the other hand, I know how hard it must be for the police forces of the world to do their jobs now in a digital world. Especially one that so few really understand and likely fear. These magic boxes called phones and computers now hold data that could easily make a case for crimes, but, you just can’t take them and rummage through them just like anything else where due process is concerned. What’s more, I know for a fact that unless you are a forensic investigator, AND you have a decent tool, YOU WILL MISS DATA. Which will lead potentially to acquittal because you did not follow processes such as chain of custody in E-Discovery.

For some though, I am sure it’s just about cutting a corner to make a collar… And that is not how the law is supposed to work.

Our complicity in our own privacy erosion:

Meanwhile, in the last few days another spate of news articles warned about how the iOS and Android systems were collecting data on our movements and details. This particular story is not new if you have been paying attention, it was just the aggregate amount of data that we saw being collected by the iOS particularly that shocked the general populace. For these people I have news for you;

This data and even more have been collected on you all for every service that you sign up for on the Internet. Every phone call you make, every text you send, every picture you upload. All of it is available to someone else who has access to the data.

It’s not private.

YOU have been giving away your personal data every minute of every day that you upload or pass through the telco/Internet systems.

So, even if laws are being subverted on personal searches, your data can and will be taken from the likes of Twitter and other services, perhaps even through NSL letters to those hosts and you will be none the wiser. For every post you put up on Facebook with all of your personal details, not only are you sharing that data with your “friends” but the company and whoever they want to sell it to as well.

The privacy you think you have.. Doesn’t exist.

In the case of the iOS data, no one knew about it from a customer perspective, but I am sure that there was some small print somewhere in the EULA when you bought the phone that allows Apple to collect the data… Not that they have to tell you they are doing it in big letters or clear language. So, that data too is not completely yours any more once you have agreed to their agreement to use/own the phone.

The short and long of it is that we are giving up our right to privacy for shiny toys and a sense of security that we can never really have.

In the end, the data that the iOS collects has yet to be proven to be sent to the Apple mother ship. Apple to date, has made no statement on the collection of the data nor the reasons for doing so. One can assume though, that they have some sort of location based software solution that they want to sell down the road and really, it’s caveat emptor. I am just glad that the security community likes to tinker and found this stuff, bringing it to light.

We are all to blame.

Unless we all take up the battle against the loss of privacy then we have none. Just as well, unless we speak truth to power and stop the erosion of rights to privacy within our body of laws, then we have nothing to complain about. We will have done it to ourselves.

K.

Information Security Conferences: Deadheading in 2011

with one comment

I grew up in the 70’s and 80’s and I have to tell ya, I am seeing the cyclical nature of history today in the security conferences we have in the business. What was once a group of dirty dirty free love patchouli smelling hippies, has turned into.. Well, just smelly infosec geeks going from con to con and creating even more con’s in every city conceivable to have more con’s to go to and party.

Is this just me seeing this? Did I do the brown acid?

To what end are these cons? Is it all about sharing information on hacks and tech? Is it all about partying and being wild? Is it some sense of counter culture that the community has latched on to in order to be “different” ? Cuz I have news for you all.. You are now becoming one of two things;

1) The guy going on the boondoggle

or

2) The “Turn On, Tune In, Drop Out” generation V2.0

Think about it… You are the next hippies with cool toys man.

Really, just how much are we all learning from these conferences? How much networking is going on from the business perspective? After all, I keep hearing many who say the con’s are starting to turn into IT Security sales events akin to RSA. So what’s the deal? Do we really need that many con’s? It seems every week I hear people complaining that they can’t attend this or that con *boo hoo* or state that they are going to X, X, and X con just like I used to hear out of my peers heading out onto the road Deadheading.

What have we become?

Eh, for me I do enjoy Defcon once a year, but I guess I am just too old and crotchety to be running about to all of these con’s. Maybe it’s because I have a full time job and other obligations that I can’t just take off for every con.  Mostly though, I wouldn’t want to. I am happy to read up on the internet about new exploits and blog, I don’t need to drink heavily and run around any more at 44…

Meanwhile, I have to wonder at the fate of those who are dead-con-ing so to speak. After all, look at all those hippies that followed the dead today… They are all pretty much old, no longer smell of patchouli, and have real lives.

You could be next.

K.

Written by Krypt3ia

2011/04/13 at 17:21