Archive for the ‘Security Theater’ Category
Handwringing, Moralizing, Anonymous, Paedophilia, and Digital Vigilantism
Preamble:
I recently posted about the Hidden Wiki and its prevalence in hosting paedophilia content. This post may or may not have left an impression on some of the anonymous collective to take action and perhaps sow good will for their group by hacking into the “Lolita City” site within the DarkNet and releasing thousands of users email addresses and personal data (such as it is on such a site) for the Internet to feast upon. The Anon’s are doing this for their own reasons, but the upshot of it all is that they are causing the paedophiles pain in making it hard for them to get their content as well as potentially outing them online as purveyors and consumers of this wretched content.
Since my post applauding them and giving them some direction as to how to become more of an intelligence gathering apparatus for the LEO community, some in the infosec world have come forward and voiced concerns about this line of thought. All of the talk about the morals, legalities, and philosophical aspects of Anonymous undertaking such actions has gotten me thinking quite a bit.It all raises some interesting questions and philosophical challenges.
Anonymous and Digital Vigilantism:
What I think that most people with reservations about Anonymous taking up such operations as the DarkNet op have are that these people are for the most part kids without training and without any kind of oversight. Oversight in that they could get too big for their britches (one could say that many already have) and think that they are invulnerable to attack never mind the respective laws of our society. That said, it would seem that Anonymous, Antisec, and LulzSec have already decided to take up the mantle of vigilante’s already. However, the targets have been, for the most part, varied parties that could be seen as hapless victims or as malefactors, it all depends on the point of view really.
In the case of Scientology, well, aside from religious freedoms (trust me, they are not a religion) generally the Scientologists have been pretty much seen as getting what they deserved. Today though, years later, Anonymous has begun to take on the governments of the world as well as the likes of Paedophiles online. Once again, generally, people see what they want to concerning whether governments are good or bad. Paedophiles though, pretty much are outlawed universally. So, when Anonymous decided to attack, I could not fault them one bit. However, I could perhaps fault their methods.. Only in that they were bound to only let the paedo’s get away in the end.
I have said it before and I will say it again.. “One man’s freedom fighter is another man’s terrorist” It all depends upon your perspective really. While I do not think all of their targets have been chosen wisely, I cannot fault the true believers out th4ere that they are doing something out of conscience and good. This is not to say that a certain element of the movement is in fact just in it for the lulz (i.e. Antisec and LulzSec) There certainly are factions at play who just want to see the world burn as well as garner themselves digital street cred.
Overall though, the term Vigilante denotes a person or persons (committee’s) who dole out justice summarily when the law is seen as ineffective by them. In this case, the Anon’s have taken up the mantle of vigilante in order to rid the DarkNet of paedophile content because law enforcement seems unable to effectively. Now this is also the crux of the issue in another way, as the police generally are not allowed to hack into sites and dump the dirt so to speak.. The Anon’s are unhindered here. Just as they have felt the same way about other operations where they have denied service to corporations (likening it to a digital sit in) they have crossed the line of the law, but, their methods and motivations are free of it… Until they get caught that is.
The essence of the thing is this.. “Don’t do the crime unless you can do the time” If they believe in it strongly and act upon it, then they must accept the risks of being caught and incarcerated. So far, much of the motivation I have seen by a good deal of anon’s has been motivated by convictions and beliefs. All others have been for Lulz, which is what made LulzSec even more of a problem as they just did not care. The current Antisec movement that LulzSec begat also seems to lack the conviction of their beliefs and seems more driven by ego than anything else by their writings.
And this is the difference between the chaotic Joker like actors and the Batman types.
Anonymous vs. PLA, vs. Patriot Hackers:
Pulling back a bit now, I would like to look at the macroscopic view of Vigilante behaviour versus nation state sanctioned or perhaps, a better word for it would be “condoned” actions and groups. I have written in the past about groups like the Honker Union in China as well as the colourful character known as th3j35t3r. both of these entities have had an effect on the collective consciousness concerning digital vigilante justice and I think it important that they form the contextual base for Anonymous’ actions in Operation DarkNet.
First off, ALL of these entities have been doing what they do (Jester DDOS of Jihadi sites and Anonymous, Honker, hacking against the enemies of China, and Anonymous, attacking sceintology, the gov, and paedo’s) with a mind toward doing “good” In the case of Jester, he thinks DDoS-ing jihadi sites out of a patriotic bent that will stop them from communicating. In the case of the Honker Union, they are patriots to their homeland and attack others who would do their country slight or harm. Anonymous though, started out of /b/ … Which really is a band of miscreants for the most part. However, a core group decided to take on the mantle of doing right somewhere down the line and we find swaths of them today supporting Occupy Wall Street and other political agenda’s.
The basic idea here is that they are all motivated by a belief in some greater good.. Mostly. I am sure there are on individual levels, many more motives (ego, greed, ego… the list goes on) but I will just put it to a gross generality that these people want to effect some kind of change.
At least I hope that this is the case…
What is really different though is that in the case of Jester and the Honker Union, they both are condoned if not outright supported efforts by the countries they reside in. In the case of the PLA and the Honker, there is clear connection between the state and their actions. In the case of Jester, there are allegations (made by him) that his is state sponsored.. But, I think more to the point he is condoned. Either way, the Anon’s may indeed be getting some support (moral or other) from state sponsors and not even know it. In the case of Anon, they could just become the tool of another nation state and not know any better.
Which is pretty scary.
All of these entities though, have had a greater or less effect upon the internet these last few years through their online shenanigans via hacking. The secret is this, they are just the first. There will be others to be sure.. The genie is out of the bottle on this one.
Anonymous vs. LulzSec & Antisec:
Conversely, we have LulzSec and Antisec, who both wreaked havoc on the corporations and the police of the world lately. Their reasons for doing so pretty much have been stated as “because we are bored” At the core though, there seems to be a couple of motives here from postings online. One is the afore mentioned Lulz, the other, seems to be a kind of abject hatred of authority and police. In recent hacks on the police though, there seems to be a bent toward supporting the Occupy movement as the police have had some transgressions against them. So.. They hacked the police and dumped all their data to spite them. Frankly, I see no value to this and once again, even if motivated by supporting the movement, it has no real effect on the police other than to make them more angry and reactive against the protesters.
Anonymous on the other hand has had its lulz, but seems to be growing up a bit and maturing. The social conscience of anon has begun to take shape and within it (movement wise) may well be the lasting component that will be its Raison d’être in the end. Time will tell though, and I hope that this is the case more so than just a bunch of malcontent’s seeking attention and excitement.
The Hand Wringing by The Infosec Community At Large:
Alright, back to the hand wringing and the moralizing post the Op DarkNet…
Certain people in the community wrote that while the empathised with what Anon was trying to do with Op DarkNet, they felt that these people were not the folks they would have doing this to start. Most of this comes from the fact that many of the players are not trained investigators and not LEO’s. I can agree with this from the perspective of legal proceedings later on. If Anonymous hacks a server and then dumps data, it could have an effect on the court case from a few perspectives;
- Contamination: The defense could claim that the server was hacked and the data planted
- The data could have indeed been tampered with by anon’s
- The backend of the server/dbase could in fact be shared and all those who share could be swept up in the legalities/implications
- The hack is enough to raise reasonable doubt
So, yes, it could be counter productive to have a vigilante force actually hack a system and report it to law enforcement. However, I would advocate that in the case of Anonymous and the paedo’s at the least, they not just hack and dump data, but instead give that data to law enforcement to start an investigation. For that matter, if Anonymous just located the servers and authenticated (sans hacking) that the content was there, they could in fact just tip off the police.
And this is at least part of what they did with Lolita City in the DarkNet. They tried to locate the server location and this alone could be a great boon for the authorities.
On the other hand, there are moral/ethical objections on the parts of some who think that perhaps letting Anonymous do this type of thing, or even encourage it is setting a bad precedent. To them, Vigilante’s are outside the scope of good behaviour and the law.. They cannot be tolerated. Personally, I think that that is a sanctimonious load of crap, but, that’s just me.
Sometimes when the system cannot function other means need to be taken to effect change. In this case, within a network that is anonymized and the authorities have had little success in catching anyone trading in paedophilia, I see no harm in Anonymous outing them.. Though, I would rather they just passed the intelligence to the LEO’s instead. It is my opinion, that if done correctly, intelligence gathering of this type with a tip off to the police has a better chance at actual arrests and convictions than to just let them go on about their peddling of child pornography.
Just one man’s opinion…
Philosophical and Ethical Stands On Being The Digital Batman:
This is the philosophical and ethical standpoint I take in being the digital Batman. Strict utilitarianism dictates that maximizing overall good is key. In this case and perhaps others, the taking down of the paedophile’s content and capturing their login credentials is enough “good” to allow for the action to be seen as acceptable. This is really the basis of The Batman’s ethics in the comics and ideally, for me on this particular incident with Anonymous.
Now, this does not mean I agree with all of their operations as well as certainly not agreeing with the bulk of the actions carried out by the Antisec movement. However, the perspective is the key I suppose. It’s a slippery slope I admit, but, in this case of OpDarkNet, I agree with the greater good being served in this case.
Here we have the Deontologists like Sam Bowne. Deontology is a nice thing to cling to the ethical rules of a governing system of laws. However, it seems to me, and others here, that this system of laws is not working against these offenders in the hidden wiki. Sure, you could say that the LEO’s have ongoing investigations, but, just how many busts have there been as opposed to the massive amount of content located on the hidden wiki and within i2p, Freenet, and TOR?
So far, I have not seen law enforcement really winning this battle.
Oh well, the Deontologists have their point of view and others have theirs. The key here is that Sammy and others like Packetknife are entitled to their point of view. They are right for themselves, and that is the issue with all philosophy and ethics arguments. Like I said, it’s all about your world view. However, I do not ascribe to a moral absolute unlike someone like Sammy.
There are no right answers. There is only what you are willing to accept for yourself.
Legal Aspects of Digital Vigilantism:
Now, on to the legal aspects here.
The US code on activities related to sexual exploitation of minors alludes to the fact that one has to “knowingly” access such content and to have more than 3 pieces of “content” to be considered guilty of child exploitation/pornography. This of course also alludes to the trafficking thereof etc etc in legalese. Where this is important for the digital Batman is where there are caveats.
(c) Affirmative Defense. - It shall be an affirmative defense to a charge of violating paragraph (4) of subsection (a) that the defendant - (1) possessed less than three matters containing any visual depiction proscribed by that paragraph; and (2) promptly and in good faith, and without retaining or allowing any person, other than a law enforcement agency, to access any visual depiction or copy thereof - (A) took reasonable steps to destroy each such visual depiction; or (B) reported the matter to a law enforcement agency and afforded that agency access to each such visual depiction.
So, as I said before, if you are trying to take one of these sites down, then do turn off your browser’s images capabilities.. Hell, why not just use Lynx for that matter so as to negate the issue. However, there is a key point here that you all should take into account. It’s the bit about making the LEO’s aware of the content. This is what I was trying to get at before. If Anonymous or anyone is going to go after this content, then it would be best if you tipped off the LEO’s to the site and the content. Now, the above statement implies that if you make the tip, then you are going to let the police have your system to look at… And we all know Anonymous is not going to do that. So, just be judicious about your tip off’s to the authorities. Do your homework and dump the data to them directly, not on Pastebin.
Of course, then there are the issues of hacking a system in the first place… Well, in the DarkNet, the only thing as I see it that is key would be not leaving a trace that you were there. You know, kinda like the whole hiking ethos of only leaving footprints.. But in this case I would suggest not even a footprint should be left behind. It seems to me, that if you hack a paedo site, even with good intentions, you could get the double whammy from the authorities of hacking as well as accessing child porn…
And that could really be problematic.
So, in the end, I circle back to recommending that you become intelligence gatherers and locate the sources to report. If you locate them, and you get some good details for the authorities without having to SQLi them, all the better. You will be doing a good thing AND you will be satisfying the Deontologists in the room.
Keep your wits about you kids.
K.
Anonymous, SCADA, LULZ, DHS, and Motivations
Anonymous Is Interested In PLC’s & SCADA?
A recent .pdf bulletin put out by Homeland Security (i.e. DHS) claims that certain actors within Anonymous (and by that they mean “anonymous”, I added the distinction) have shown interest in at least Siemens SIMATIC PLC’s and how to locate them online for exploitation. It seems that DHS though warning about this threat, is not too concerned about its actually being exploited by the group because they lack the expertise to attack them. So, why the BOLO on this at all? If the collective cannot do the damage to the infrastructure that you are entrusted in keeping safe, then why report on it at all as credible intelligence? It would seem to some, myself included, that Anonymous is not the problem that they are really worried about on the macro scale, but instead, those who may claim to be Anonymous hitting small scale facilities or pockets of targets for their own purposes.
And therein lies the difference.
If indeed Anonymous the collective is looking at attacking SCADA, one has to wonder at their reasons to target such systems. After all, if Anonymous takes out the power or poisons the water, it will not look good for them PR wise. In fact, were such things to happen in the name of Anonymous, I can pretty much guarantee you all that they would be enemy #1 pretty darned quick post an attack. However, if they were to target a company such as a car maker that pollutes, then, you have a real agenda (per their social agenda of late) So, the targeting is really key here and I will cover that later on.
DHS Jumping The Shark?
The motivations of the release by DHS have also been called into question by some as to why they chose to talk about this at all. This is especially prescient since they take pains to say that the Anonymous movement “most likely” does not have the technical means and motive to really pull of these types of attacks on the infrastructure. So why even bother? Perhaps they are just covering their bases (or asses) just in case the Anon’s actually attack? Or perhaps, they too are clued in on the fact that even if claimed to be anonymous, it could be others working against the US (Nation State Actors) who have chosen to attack and use Anonymous as a cover so as to throw off attribution.
Either way, as some look at it, it is almost like they are daring Anonymous to do it out of spite because they are calling Anonymous’ factions and actors “inept” or “unskilled” which, might get their dander up a bit. All of these scenarios pretty much do not preclude someone hitting SCADA systems in the future and it being blamed on Anonymous, which will bring on a new wave of efforts by the government to stamp them out. Reciprocity being what it is, this too will mean that Anonymous might in fact gain strength and sympathy from such actions and fallout as well.
For me though, I just see DHS covering the bases so as to not be blamed later on should something happen. Not so much am I of the opinion that they are in some kind of propaganda war here with this little missive.
Motives, Means, Technical Abilities
So lets go with the theory that certain elements of the Anonymous collective want to mess with the infrastructure. Who would they target and why? More to the point, what companies would they target that fits their agenda?
- Telco?
- Power?
- Manufacturing?
Those are the three areas that I could see as potential attack vectors. Though, once again I have to say that the only two that I see as real possible would be the telco and manufacturing and even the telco would be dangerous for them to try as well. I mean, if you start messing with Ebay or Paypal that’s one thing, its quite another to mess with national infrastructure, as these two would be considered. If indeed Anonymous hit them and took them down for whatever reason, they would then be directly considered terrorists… And that would be seriously bad for their movement and its legitimacy.
Now, we do know that the Anon’s hit the BART system but as I remember it, it was BART that took out the communications infrastructure themselves so as to prevent communication between anon’s. So, this just doesn’t seem to fit for me either. Manufacturing though, as I made the case above, could be something they would try. It’s not national infrastructure and it will not take the country down if they stop something like cars being made.
Is it just me? Or does anyone else just see this as a non starter for Anonymous central? What I do see is the threat of other actors using the nomme de guerre of Anonymous as cover for their actions to mess with the national infrastructure. Perhaps some of these people might in fact be motivated by anonymous, but, my guess that if there were to happen, it would be nation state driven… And something I have been warning about for some time.
Anonymous, as an idea, as a movement, will be subverted by those looking to fulfil their own ends and justify their means. All the while, they will let the Anon’s take the fall for it.
Governments
Nations
Nation States
… AND.. Corporations.
You know, those with the money and the people who could pull off the technical hacks required to carry these capers off.. Not a bunch of rag tag hacktivists and hangers on.
Blowback
In the end, what I fear is that there will be a great deal of blowback on Anonymous even talking about hacking and messing with infrastructure. The same can be said for their attempts on taking down Wall Street or the NYSE with their DD0S. If they had succeeded, they would have been an annoyance really, but that would not have caused any great fluctuation in the markets I think. No, unless they hacked into NYSE itself and exposed the fact that they had root in there, I think that it would have a very minimal effect on Wall Street and the economy at large.
Not to say that everything is going ever so well now…
DHS seems to have jumped the shark a bit for me on their BOLO and the coverage of this just tends to add to the FUD concerning SCADA and PLC code. Hell, for that matter we have the new Symantec report on DUQU that yells out about it being the “Son of Stuxnet” but in reality, it is more like a clone of Stuxnet used for APT style attacks by persons uknown..
Get yer FUD here!
Same goes for this DHS warning.
Your results may vary…
K.
The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!
That’s it? All we get is this stinkin garbage file?
Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.
Within the torrent file the following parting words were sent:
Friends around the globe,
We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.
For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.
While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.
Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.
So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.
Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.
Let it flow…
Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?
The Files:
So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.
Whoopee.
All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?
Not that I have seen.
In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.
Leaving So Soon?
So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.
You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.
However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.
Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.
Your Legacy:
Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.
Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’
So where was I?… Oh yeah..
In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.
So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.
Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.
… And those lulz will also be epic fail.
K.
LulzSec: How NOT To Run An Insurgency
Oh how the Lulz turn…
Lulzsec seems to be imploding a bit with the pressure put on them by their own interpersonal issues as well as the likes of Th3j35t3r and the Web Ninja’s on their backs as well. I however, would like to point out the Lulz tactical failures that are directly leading to their ultimate party van special that seems to be coming soon. I say ‘seems’ to be coming because who really knows what will happen. Perhaps some of these guys will actually skate because they were smart enough to keep some of their personal details.. well.. personal.. Maybe not though as is evidenced by the ‘doxing pastebin-palooza’ of late.
Secrecy is important:
LulzSec seems to have misunderstood that secrecy is really really important when you are doing something like a digital insurgency. Sure, you can try to rely on all the technologies like proxies to hide your IP, but, you also have the human element to contend with. It is here where the Lulz have not thought things out too clearly. They attempted to use the Anonymous model, but, unlike Anonymous, they, had a smaller crew and a central core that, well, has been rather chatty. Chatty mind you, on IRC channels that have been compromised and monitored.
Loose lips sink ships.. Yeah, I went there…
Nope, while Lulzsec has been attempting to be secret, they failed to follow through and actually carry out their insurgency behind a wall of utter secrecy or even a cell based infrastructure it seems. Of course most of these efforts have been planed out and talked about on said IRC channels (even the sooper sekret ones) and advertised so others could revel in the lulz.
This and the other things I am going to mention will be their undoing.
Communications Should be COVERT:
Ok, so, how long did Osama have runners with USB keys on donkey’s going to Peshawar Internet cafe’s without being caught? Oh, yeah, 10 friggin years! It took the CIA a long time to catch on to the runners/couriers and even then they did so only from a VERY FEW pieces of hard SIGINT. The key here kids is that the AQ guys were practising ‘tradecraft’ unlike the Lulzsec kids. They took pains to insure that their communications were not easily picked up by the NSA or anyone else listening and watching.
You guys in Lulzsec? Not so much….
Instead, you have relied on technology to keep you safe while flagrantly whipping out your collective pee pee’s and waving them at forces who are much better equipped, trained, and funded to hunt you down and make you go bye bye. Some might see that as daring… Others see it as just plain stupid. Either way, since you have failed to use real covert channels that you do not advertise, you have highly increased the likelihood that you will soon see those party van’s you speak of so often (mockingly) in your yards as they start taking all your computers out the door, and you to the local orange jump suit palace.
Next time, just have your meetings in the parking lot of the local PD. It will cut out the middle man.
Ego is the mind killer:
I must not have too much Ego. Ego is the mind-killer. Ego is the little-death that brings total obliteration. I will face my Ego. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the Ego has gone there will be nothing. Only I will remain.
Ah yes, I have been ruminating on this one for some time and even adjusted this quote from Dune, which I think fits nicely. Your ego’s have been writing checks that you aren’t likely to want to have cashed kids. You have said that you do it for the lulz, you have also made intimations that its about how poor security is within the internet ecology, but, I think mainly your motivations have been ego driven. What this means is that you are getting quite the buzz off of being so darn smart and snarky. You have been having fun poking the badgers in the eyes and feeling invincible.
Well, you aren’t geniuses and you aren’t invincible. Eventually everyone gets caught, especially those who do not take care to cover their tracks and act smartly.
Simply, your ego’s have done you in… Be sure to check that ego at the door to the federal penitentiary that will be your new home, because there are bigger and nastier people in there who will be trading you for smokes soon. Oh, and remember to buy a lot of tucks pads.. You are going to need them.
Untrustworthy Assets Should NOT be Trusted With Operational Details:
This brings me to the bust of your minimally affiliated IRC op Ryan. It seems from all of the press and from the kids history, that he was unstable to start. This is the guy you want to trust with any data, no matter how small, on who Lulzsec is and how they operate?
Really?
Well then, who else do you have running your servers and running errands? Because I think they are likely to be just as whacked as Ryan and likely to be caught and roll within the first few minutes of interrogation!
Bravo, well done!
If you guys had any operational smarts, you would have to know that you cannot trust anyone with the whole picture. You pretty much are claiming that now after his arrest, but I think secretly you are all leaving fudge stains in your pants presently. According to the police Ryan had A LOT of data laying round and how are you to know who he talked to and how much he really knew about you all? Even IF you tried to be as careful as possible, you more than likely slipped up and gave him information that he will be giving.. Nope.. wait.. HAS GIVEN to the FBI and the Met.
Another failure on your part in the game of insurgency… I guess you will learn the hard way. Just as you will learn that outing your pals yourselves because they decided they wanted out, or did something to piss you off, will only lead back to you. Not the smartest of moves should any of these guys have data on you that they can use to turn against you.
“Never burn an asset unless you burn them and then shoot them between the eyes.. Or they will come back at you”
LulzSec Fall Down.. Go BOOM:
Finally, as if you could not tell from everything I said above, you are going to go down and likely go down hard. It will be a learning experience for you and for everyone else who wants to let their ego run free to gather 220K of followers on twitter by poking the badger. I am imagining that Ryan and his volumes of digital data, are being disseminated throughout the community of Feds and other agencies as I write…
Oh well, like I said, there’d daring and then there is stupid… Remember what John Keating said in “Dead Poets”
“Phone call from God. If it had been collect, that would have been daring!”
Be seeing you soon as your being put in the back of the party van kids…
K.
From Lulz to Global Espionage: The Age of the Cracker
It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.
Lulzsec:
Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”
Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.
After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.
What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…
Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.
Nation State Actors:
The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)
What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.
This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.
Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.
Industrial Espionage:
This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.
In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.
Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’
Criminal Gangs:
This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.
Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.
With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.
When The Players All Meet:
It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.
In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.
More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.
Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…
K.
British Airway Al Qaeda Mole: The IT Connection
A British Airways computer expert who plotted to blow up a plane has been found guilty of terror charges.
Rajib Karim, 31, from Newcastle, used his job to access information for radical cleric Anwar al-Awlaki, Woolwich Crown Court heard.
He denied four charges, including sharing information of use to hate groups.
But after four days of deliberations, the jury found him guilty of all four charges.
Karim was committed to an “extreme jihadist cause” and determined to become a martyr, jurors were told.
The Bangladeshi national, who moved with his wife and son to Newcastle in 2006, had already admitted being involved in the production of a terrorist group’s video.
Joined gymKarim, a privately-educated IT expert from Dhaka, became a supporter of the extremist organisation Jammat-ul Mujahideen Bangladesh (JMB) after being influenced by his younger brother Tehzeeb, the court heard.
He was described as a “mild-mannered, well-educated and respectful” man who hid his hatred for Western ways from colleagues by joining a gym, playing football and never airing extreme views.
But at the same time he was using his access to the airline’s offices in Newcastle and at Heathrow to spread confidential information.
After gaining a post-graduate job at BA in 2007, Karim held secret meetings with fellow Islamic extremists at Heathrow and, in 2009, began communicating with al-Awlaki from his home in Brunton Lane.
After the verdict, Home Secretary Theresa May said: “The fact that Karim has been found guilty of such a heinous plot shows why we will never be complacent.
“I want to thank the police and the security service for their hard work in this complex case.
“We know that we face a serious threat from terrorism and national security remains this government’s top priority.”
Colin Gibbs, counter terrorism lawyer for the Crown Prosecution Service, added: “The most chilling element of this case is probably the fact that Karim tried to enrol as cabin crew and anyone can imagine how horrific the consequences of this could have been, had he succeeded.
“Karim’s deep determination to plan terror attacks whatever the cost was frightening.
‘Coded messages'”He found a position as a software engineer, which the prosecution said he considered the perfect job, giving an opportunity sooner or later to fulfil his deadly objective.”
Deputy assistant commissioner of the Metropolitan Police, Stuart Osborne, added: “Although Rajib Karim went to great lengths to disguise his activities, experts from the Metropolitan Police Service Counter Terrorism Command spent nine months decrypting 300 coded messages found on his computer hard drive.
“It was the most sophisticated decryption task of its kind ever undertaken by the Met’s Counter Terrorism Command.
“This painstaking work gave detectives access to a body of material, which exposed Rajib Karim’s terrorist activities and led to today’s conviction.”
Karim is due to be sentenced on 18 March.
Well, here you have it. This is what I have been talking about for a while now, AQ learning to insert technical moles into positions to do us harm. This guy may be a fluke in that he could have just been in the right place at the right time, but, I think that AQ placed him where he was caught.
What’s even more interesting to me is that this guy was using his technical skills to give out important intel on Heathrow and BA’s systems to AQAP. What better way than to insert a technically capable mole who is also willing to be a shahid to do the most damage? The jihadi’s are getting more nimble and using espionage techniques to up their game. They have learned the value of technology and just how much we are all at its mercy today.
If this doesn’t ring the warning bell not only for all CT efforts, it should at the very least do so for the airlines and the airports out there. This guy had insider knowledge and access to the systems and networks that also house the baggage scanners, passenger lists, and other security methods at Heathrow.
So, how was he caught I wonder.. Perhaps as he was talking to Al Alawki online? From this one might infer that Alawki’s comm’s are pretty much tapped huh? Yeah, I would guess that…
K
Inspire 3 “Operation Hemorrhage” Analysis
Al-Malahem came out with their “special” edition covering their recent parcel bomb attack on the West yesterday and it was a smug piece of propaganda that they try to gloat with. I am guessing they really need to get it out there that they had a “win” in their check-box over this failed scheme to bomb planes over the US because they are steadily losing momentum on a larger scale. However, some of what they do say in the piece does have bearing on what has been happening in the US regarding TSA security and the “theater” that they have in place instead of real security measures and about the United States financial expenditures to make us all “feel safe” These are both things that I have touched upon many times in this blog and will line up with AQAP’s strategies now.
“Operation Hemorrhage” boasts the writers, cost only a mere $4,200.00 and the kinetic damage through fear and spending will be billions in their estimates. Thus they are only bleeding the US economy further with each attack whether successful or not. Their assessment on this is somewhat true especially given the fact that for every move there is also a counter move within the game of mental chess here on security measures. Of course, the problem has been within the US’s approach vis a vis creating the behemoth of the TSA, that there are way too many cooks and the soup is not only spoiled, but it is cold and congealed in the pot because of all of the legal, political, and infighting problems that come along with creating a government entity. Add to this that the TSA has been poorly executing security measures to begin with, then you have a problem of complete ossification of an organization that is supposed to be nimble and smart.
Instead of nimble and smart, we have had one debacle after another leading up to the current issue of invasive pat-downs and backscatter scans that are trying to prevent the last attack’s M.O. all the while the enemy has moved on to a new vector of attack. The writers of this issue make sure to re-enforce that idea:
If your opponent covers his right cheek, slap him on his left. Since9-11 the West has been stepping up defenses for its commercial aircrafts. The continuous attempts that followed 9-11 by our brother Richard Reid, the Heathrow airport plot and finally the operation of brother Umar Farouk have forced the West to spend billions of dollars to defend its airplanes. But what about cargo planes? The air freight is a multi-billion dollar industry. FedEx alone flies a fleet of 600 aircrafts and ships an average of four million packages per day. It is a huge worldwide industry. For the trade between North America and Europe air cargo is indispensable and to be able to force the West to install stringent security measures sufficient enough to stop our explosive devices would add a heavy economic burden to an already faltering economy. We knew that cargo planes are staffed by only a pilot and a co-pilot so our objective was not to cause maximum casualties but to cause maximum losses to the American economy. That is also the reason why we singled outthe two U.S. air freight companies: FedEx and UPS for our dual operation.In our discussions prior to the operation we set the passage of explosive devices from any airport as a bench-mark of success. For us, blowing up the planes would have made us very pleased but according to our planand specified objectives it was only a plus. The first package made it successfully and brought down the UPS flight in Dubai. The experiment was a brilliant success. In our following operation we used a different explosive package and determined that if both packages passed throughthe inspection at the FedEx and UPS facilities and passed through the X-Ray systems at the airport, that would raise a worldwide alert that would force upon the West two choices: You either spend billions of dollars to inspect each and every package in the world or you do nothing and we keep trying again. The packages not only made it out of Sana’a but one of them made it all the way to London and if it was not for an intelligence tip, both devices would have detonated. After the operation of brother UmarFarouk we have been experimenting with ways to bring down airplanes.We have researched the various se-curity systems employed by airports. We looked into X-Ray scanners, full body scanners, sniffing dogs andother aspects of security. The result-ing bomb was a device that we were confident that, with the will of Allah, it would pass through the most strin-gent and up-to-date security equipment.We were right. The packages were inspected at the FedEx office (the deliverer reported to us that therewas no checking at the UPS), they passed through the X-Ray machines at Sana’a airport, and went through the other procedures required by cargo companies. Both devices were not detected.We are fighting a war against American tyranny. This is a new Crusade waged by the West against Islam. Therefore we wanted to put things into proper perspective. This current battle fought by the West is not an isolated battle but is a continuation of a long history of aggression by the West against the Muslim world. In order to revive and bring back this his-tory we listed the names of Reynald Krak and Diego Diaz as the recipientsof the packages. We got the former name from Reynald de Chatillon, the lord of Krak des Chevaliers who was one of the worst and most treacherous of the Crusade’s leaders. He fell into captivity and Salahuddeen personally beheaded him. The name we used for the second package was derived from that of Don Diego Deza,the Inquisitor General of the Spanish Inquisition after the fall of Granada who along with the Spanish mon-archy supervised the extermination and expulsion of the Muslim pres-ence on the Iberian Peninsula employing the most horrific methods oftorture and done in the name of Godand the Church. Today we are facing a coalition of Crusaders and Zionists and we in al Qaeda of the Arabian Peninsula will never forget Palestine. How can we forget it when our motto is: “Here we start and in al-Aqsa we meet”? So we listed the address ofthe “Congregation Or Chadash”, a Gay and Lesbian synagogue on our one of our packages. The secondpackage was sent to “Congregation B’nai Zion”. Both synagogues are in Chicago, Obama’s city.We were very optimistic about the outcome of this operation. That is why we dropped into one of the boxes a novel titled, Great Expectations.
Another thrust that the AQAP have here is that they are using the Crusades as an aegis for all of these operations and perpetuating the idea that they today still fight a Crusade against a marauder west invading their lands… It seem’s that they just can’t give up that motif as a romantic illusion to bring in new recruits and keep the old ones I guess. Of course what they fail to elucidate is that even Salahudeen was able to come to the table in the end and make peace with the infidel… But I digress now into histrionics, and that is not what we need here.
What is telling in this document is that they are laying their strategy cards on the table here; For every countermeasure you come up with, we will find your weakness and exploit it. This is something that the TSA and the authorities seem to be missing the boat on in their ineptitude and ossification. They go about this not with agility and nimble thought, but instead they throw money at the problem and rely on technologies that will “save the day” Well, this has not worked out so well has it? The fact of the matter is that for all the machinations by this nation to protect itself since 9/11, they only recently began to seriously look at x-raying/scanning all of the baggage and cargo that goes into the belly of a plane… 10 years hence and they still have not done the basic due diligence of securing the choke points.
Don’t even get me going on the ports in this country either.. You want to see a debacle, check out port security.. It’s a nightmare. If they were serious about using a nuke or a dirty bomb, that’s where they would easily be able to get one in..
Just one cargo container on a ship…
But I digress again…
So, back to the problem of airport and air transport security. Once again, the AQAP have amped up the situation and shown that we are not indeed safe. The fact of the matter is that we never will be “completely” safe and I think now, the US public at large has begun to suss this out. Once the TSA began the “naked scans” and the enhanced pat downs, they really began to see just how much theater there is being put out there by the government ala the TSA and not so much real “security” The backlash against these measures has pretty much shown that the US public is not willing to be strip searched every time they take a flight to see grandma or to go to work each week. Finally, the US public at large has grown up in a sense to the vagaries of life in an age of terrorism. There is no 100% security model and there are limits to what we should give up to fear and incompetence.
Meanwhile, the government plods on with the TSA in the lead playing the “man behind the curtain”, pulling the chords on the immense security apparatus that is mostly smoke and mirrors. In short, the AQAP are winning some battles here and have the government spending money like water for measures that in the end. have little bearing on stopping a concerted attacker. It’s sad really.
So, what do we do? Here are my thoughts:
- Train the TSA workers properly in counterintelligence and profiling
- Institute an Israeli model of security at airports with choke points where the travelers are profiled by simple questions and trained observers
- Use the usual x-ray and magnetometers at the gate choke points
- Use sniffer machines as well as dogs on higher risk individuals
- For those who have been selected by the trained observers, use the pat downs and the backscatter machines
- Test ALL cargo going into the belly of planes. Anything with circuit boards should be given special scrutiny
What I am advocating is overall, a smarter approach to security than what we have been getting since 9/11. We also need a government and a security agency with a backbone and more culpability when they screw up. Moreover, an agency that is willing to admit when they screw up (I remember that TSA manual incident don’t you? Napolitano LIED to congress about that and was called on it) It’s time to be adults here. These are serious issues and we certainly do not need the keystone cops in place instead of Scotland Yard.
In closing I would just like to say that we are being gamed here. Gamed by AQAP and gamed by politicians trying to make you “feel safe” in hopes of staying in office. I feel truly, if we were serious about security in this country, whether it be information security, technical computer security, or security against terrorism, we would be doing things much more effectively to actually “secure” the nation. There is a lot of lip service out there but I see all too many incidences of it just being lip service and little action. I also am afraid, that I see things going down the path of security becoming not only the nanny state, but also the “dear father” state. This is what scares me the most of late.
The detentions of hackers in airports demanding their hardware and their keys is a chilling thing. Mind you, these are people I know in some cases and I feel are being harassed because of affiliations or as byproducts of technologies they work on. Increasingly, the federal government has been still gathering powers of surveillance without checks and balances that would make the Nixon team cream in their pants with desire. In the wrong hands and without the checks and balances, we have the great potential for abuse.
Now put it together… TSA is under DHS. DHS now has Secret Service and other security orgs under its umbrella. Given the track record of DHS, does this give you any warm and fuzzy that they have these powers? Now look at the numbers of how many arrests their have been of terrorists.. I am not seeing a good trend here.
Time for a re-structure.
CoB
“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Part Deux
The Players:
In my first installment of this series I laid out the framework for what I wanted to do to create a new paradigm in information security. The industry has become a den of charlatanism as well as FUD and it just seems to me that more of us in the business are feeling like Sisyphus. On the other end of the equation we have the balancing factor of companies, and people who comprise them, who are just unaware of the precepts of security and really, don’t seem to care once you introduce them to it. You usually get the litany of reasons why they won’t or can’t change the way things work for securities sake;- It’s too costly
- It’s too hard
- We can’t change those things because we will have too much down time
- This could never happen to us
- The end users will be too overtaxed with the changes
There are a myriad of other excuses I have heard over the years, but it just seems in general that you present things to people and they just don’t seem to feel that they are important. Even when you hand them a USB drive of their own data that you have taken from them as a part of an assessment. There will always be elements within the company with impetus to not take your advice on security matters and maybe even give you a large amount of pushback. This is especially true of any company that has little to no security posture to start with.
So who are the key client players?
- C-Level Management
- Middle Management
- The CSO/CISO
- End Users
- Coders
- Lawyers
- HR
Above you have the key players that you will always have to navigate your way through to get any security initiatives created or actually implemented at a site. Often times, it is akin to herding cats as the saying goes to get anything accomplished, however, the one true key to it all are the C-Level Executives.
Why?
Because on average, they are not only the ones with the power to make decisions and to implement/mandate things company wide, but also because they are the most dangerous people to the company.
How’s that? You ask…
Well, usually they are not security aware, run ubermegacorporations, and often have the following characteristics;
- They hold the keys to the kingdom with undue access and mobile assets
- Companies cow tow to their every whim and give them said rights as well as unfettered internet access
- Though they may be aware of security risks, they are far too aware of the “bottom line” on the ledger
These traits make the C-Level exec a tasty target for the attacker and often many a phishing email is used to gain a foothold on their machines. This is even more true in the case of corporations that I have worked with in the past who might say, be a target of APT attacks (i.e. Defense Contractors) There is nothing new here for many of you probably reading this if you are in the business, but it always amazes me at the lack of understanding some of these execs have about security and their place in it.
So, out of all of those players listed above, the C-Levels are the key targets for you to make your point to. You have to do it in such a way that you can convince them that what you are telling them is important but without actually making them think that you are the super hacker one of a kind guy who could only do it. Sometimes this is harder than you might think. Just as well, what if you are not performing a pentest and just an audit of their polices and procedures? What then? All you really have to do at present is look at the weak regulations and laws on the books now and you pretty much get the idea. They are gonna do a quick calculation in their head and say “bye”
I have seen it happen.
So what can you do? How can you reach this audience and get them to understand that the sum of the parts can equal utter compromise and that it’s just not all about a firewall and an IDS? That will be covered in a later section on approaches, however, let me impart one example of extreme results from a little leg work.
Example: UBER BANK A
I once did an assessment on a large bank in the US. This assessment was to be one that primarily focused on policies and procedures and security. After performing interviews with the lower ranks I got a chance to talk to the CFO and the CIO of the bank. Both interviews went over like lead balloons. I asked questions on the security values of their processes and got nonchalant dismissive answers back. In essence, they didn’t give a crap.
Given that this was 2002 and we had just been attacked on 9/11, I asked questions about the C-Level’s awareness of potential terrorism (uber bank had global ties) as well as things like did they have a K&R policy for their execs who traveled out of the country. Their answers came back with the same lack of care of forethought.
“Nope.. We have no need of that”
I left the meetings feeling that all of our efforts were for naught. These guys weren’t going to do anything about the things we would be recommending… Unless they got a taste of what “could” happen. So, I went on the offensive and began using the techniques of OSINT on them, their network, and their physical site.
I called it “Added Value” heh… Gotta love the buzz word bingo huh?
In the process of looking around I discovered that their intranet/physical site had a few interesting features/flaws.
- It was a flat network
- The C-Levels bios and travel calendars were on their website both externally and internally
- Their wire room was physically insecure because of an internally facing window
- The wire room was not alarmed
- A new and CSO unapproved wire transfer system had been put into place with default log/pass
- I located the manuals for the new wire transfer system on their intranet and downloaded it
From all of this information I did the following:
- I Googled all information from the BIOS of the C-Levels and developed full dossiers on them and their families. I obtained their childrens names, schools, schedules, wives names etc (including sat photos of their homes)
- I used their schedules online and created a scenario for the CEO to be kidnapped and ransomed on his upcoming trip out of the country (with maps and timetables)
- I developed a proof of concept of how I could not only access the wire room via the unsecured window but also a network access using the flat network and the defaults on the new wire transfer system to transfer the maximum amount of money from their bank to another account. This transfer (20 million) would go un-noticed for at least 3 days per schedule
- I had the CSO access the wire transfer system with the default pass/log and set up the transfer.. but did not carry it out.
After we had finished the report on the policies and procedures, I passed along the further documentation of the dossiers and the proof of concept… We left the next day. Soon after, I heard that the C-Levels were outraged at what I had done.
HOW DARE YOU!
This of course was mostly about the Dossiers on their families and the terrorist plans, but, the points had been made. They finally began to comprehend that they were indeed targets as well as they could lose major funds from their coffers because they had failed to protect the systems properly.
Years later (in fact last year) I heard from someone who just happened to go to Uber Bank A on a business trip. During the course of their visit, some of the people began to tell the tale of just how much security had improved in since a certain audit was performed by a scary hacker… Yep.. It was me. I even made an HR lady cry during that assessment… In any event, they learned from the things I did and they took steps to secure themselves better.
I had to scare them into it though and that kind of chance does not happen often… The C’s are usually quite insulated from reality. However, I think this is where the new breed of testing comes to play. This type of testing could be called “Red Teaming” or “Ninja Hacking” as one book puts it, but I would just call it something like; Offensive Auditing An audit that takes stock of the whole environment and shows just how vulnerable a company is from the ground up and offers a way to remediate it all. Had I not performed the extra assessment outside of the policy piece they would not been aware nor cared. You see, their policies were lacking as was their procedures, which they bypassed in the case of the wire transfer application implementation.
This is where I feel that the industry is failing in a big way. There are all kinds of audits and auditors out there but giving a client a pick and choose menu only leads to their own undoing because things will be missed. Never mind that the industry of late seems to be full of charlatans and ego’s that just don’t seem to be doing any greater good. This also applies to the organizations that offer certifications such as CEH/CISSP/ISACA etc.. There are just too many and not enough good ones.
The Infosec Industry: The Good, The Bad, & The LIGATT
So back to the lament about the industry. Just like any industry, one’s avocation can turn into a “vocation” as I said before. However, usually in the process of doing so, the love of it gets beaten down. Charlatans come out of the woodwork as well as the “music producer” types who just want to pimp anything for a buck. Its enough to make someone who really loves their job feel like just leaving it after you get the treatment from the clients as well as the one you get from the never ending stream of vendors and schlock.
What is one to do? Perhaps find a company that you can work for that does do things right (not IBM) or you go out on your own and start a company. Either way, you have to prepare yourself for the inevitable charlatan and vendor siege. If you can’t get past that, then you need to move on to something else. I say this because I can foresee no real way to change the business in a way that will be efficacious for “security” and never have its a contingent of greedy pseudo security wankers and clowns *cough* LIGATT.
It breaks down into these types though…
Just how can anyone wrangle all of this into a cogent business and legal model?
CoB
Next posting within this series: The Playing Field
Top Secret America: The Fifth Column, Uncontrolled and Unaccounted For
The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.
These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.
The investigation’s other findings include:
* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.
* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.
* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings – about 17 million square feet of space.
From Secret America in the Washington Post
PBS Frontline report coming this fall
When this article came out there seemed to be just a collective murmur as a response by the masses. I figured that either people just didn’t care, didn’t get it, or were just too stunned to comment about it. Upon reading up some more and seeing the Frontline piece, I have decided that most people just can’t grasp the sheer import of this report. What this all says to me is that the government has no idea of just who is doing what and how much money is being spent. What’s more, the people certainly have no idea (the people as in the voting public) whats really going on either.
Another factor here I think is that many people just have too much faith in the government and in the corporations. When you really look at it though, once you have worked in the sausage factory and have seen how its made, you really never want to eat sausage again. Its like that with working for the government and or corporations really. Having spent all these years in the information security business working for fortune 500 companies as well as the government, I can say I do not want to “Eat the sausage” Of course perhaps the better thing to say is that I do not trust the government nor corporations because they both are comprised of inept people and red tape.
By far though, the concerns that I have are something a bit more ominous in nature. I fear that these machinations will only lead to greater abuses of power by not only the government but also the corporate entities that they have tasked with performing all this secret work. It used to be that there was government oversight on the intelligence community, but you knew that there was some off books things happening. Now, we have post Iraq and still ongoing in Afghanistan, a contractor proxy war that now includes a civilian intelligence element. An element that now seems to be even more “civilian” because it is being operated by corporations and not wings of the government. It gives a new meaning to “black ops”
Another interesting turn in this “secretification” to steal a Bush-ism is the whole issue of just how far the pendulum has swung from the nations not caring so much about HUMINT and intelligence to suddenly being even more fervent about it it seems than they were during the cold war years. I might also hazard a statement to say that since 9/11 it has generally felt more and more like the 50’s again where paranoia is concerned about the “enemy threat to the homeland”
Are we in danger? Yes. Do we need to have to go back to the 50’s mentality of us and them with a McCarthy-esque twist? No.
Of course all or most of this is aimed at Jihadi terrorists and not a governmental body like the Soviet bloc and this is where the disconnect seems to be the largest for me. It’s rather ironic actually that all this effort is being predicated on fighting a group of people who are not generally known for being easily infiltrated nor as easy to get a grasp on as the Sov’s were. People just knee jerked after 9/11 and really, they have only created even more bureaucracy in which the real INTEL will get lost and another attack likely happen because of it.
Welcome to Washington’s dementia…
Krypt3ia 
SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC
with 5 comments
CIRC: The New Private Intelligence Wing of (insert company name here)
The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.
What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.
You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?
Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?
A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.
In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate
The Technology:
I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.
Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.
There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.
The ANONYMOUS names file
This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.
The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.
What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.
Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.
The INFOSEC Community, HBGary, and Spook Country:
Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.
HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.
So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”
There is no black and white. There is only gray now.
The Morals:
And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.
It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.
So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.
Conlcusion:
We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.
The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.
If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.
The only privacy you truly have, is that which you make for yourself. Keep your wits about you.
K.
Rate this:
Written by Krypt3ia
2011/02/19 at 20:45
Posted in 1st Amendment, A New Paradigm, Advanced Persistent Threat, Anonymous, APT, Business Intelligence, Business is war, CAUI, Chiba City Blues, CIA, Codes, COMINT, Commentary, Corporate Intelligence, CounterIntelligence, Covert Ops, CyberSec, CyberWar, Digital Ecosystem, Dystopian Nightmares, Espionage, Hacking, HUMINT, Infosec, Infowar, INTEL, Maltego, Malware, Narus STA 6400, Neurobiology, OPSEC, OSINT, Panopticon, PsyOPS, Recon, Security, Security Theater, SIGINT, Social Engineering, Subversive Behavior, Surveillance State, Tactics, The Five Rings, Tradecraft, Weaponized Code, Wikileaks