Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Situational Awareness’ Category

Leaderless Jihad and Open Source Jihad: A Marriage Made In Hell.

leave a comment »

7631834-3x2-700x467

In 2013 I wrote about leaderless jihad and the “Stand Alone Complex” Now we are seeing this type of leaderless, “inspired by” thought virus playing itself out on the national stage. Last nights attack using a lorrie was something that was presaged by two issues of Inspire Magazine back in 2010 and 2014. There isn’t much to it really to gather some weapons, steal a truck, and then plow it into a crowd but it has taken this long for the insidious idea to take root in the collective unconscious of the would be jihadi’s. The days of a more rigid and trained “jihad” are being eclipsed by would be unbalanced individuals seeking attention and reinforcement of their sick ideas through the media, the internet, and our collective inability to look away from a tragic scene on a glowing screen.

Screenshot from 2016-07-15 07:00:082014 Inspire

 

Screenshot from 2016-07-15 07:04:082010 Inspire 2 “Ultimate Mowing Machine”

 

Soft targets were always the preferred avenue of attack but now they are becoming seen as a top priority for security forces since the attacks in France and other places like Bangladesh. While Dahka on the face of it had a contingent of more trained individuals the attack last night is as simplistic as they come. This is what is really scaring the populace and the security services because now it seems that the authors and actors of these acts are in fact just one guy and not a cabal that they could perhaps track using pervasive surveillance. A cell of one is hard to track and certainly if they self radicalize by just downloading Inspire magazine and watching YouTube, well, what can one do? There are no easy answers here in the world of detection and prevention.

Screenshot from 2016-07-15 09:26:04

So here we have it, I have been pointing this out for a while and at first it was AQAP trying to inspire “OSJ” or Open Source Jihad. Now Dabiq and Da’esh are carrying it on and furthering it with the media zeitgeist that ensues with each attack. The net effect here is that these people are selfradicalizing with the help of the media’s obsession on covering ad nauseum these acts. The pervasive hand wringing and talking heads only serve to whet the appetite of the would be jihobbyist into action. Forget the Inspire magazines and the videos, just watch CNN and that is enough it seems. This all is very much like the plot line to “The Laughing Man” arc of Ghost In The Shell. An act carried out on the media instilled others to carry out like acts to be on the media and further the idea(l) as well as serve as a means to self fulfil the actors need for attention and satisfaction.

laughing-man

This is pure psychology at work and there are a host of reasons and syndromes that could likely be pointed at to rationalize it’s happening. The fact of the matter is that now we are seeing it play out rather bloodily on the streets of the world in furtherance of an idea and ideal set that lends itself to the like minded.. Or should I say mentally ill? Yes, I would say mentally ill. These actors are acting out and likely have some borderline tendencies to start with. These people feel outcast in their societies or out of place within the societies they are living in as a second generation citizen. It is a complex thing to nail down and I suggest that anyone who might want to delve into it further read “Leaderless Jihad” by Marc Sageman.

We need a more nuanced approach to the GWOT and I am afraid we won’t get that…

K.

 

L’affaire du Petraeus: Electronic Communications (ELINT) and Your Privacy

with 2 comments

//BEGIN

Afsrtbnfmzndopeezygpmcmvgbcnlstmcgthozr rkmrkmjlskkmgecuvgi

//END

Thoughts On The Politics, Media Frenzy, and Schadenfreude

As you all now know, general Petraeus (aka P4) was caught using a dead drop Gmail acct with his lover (Broadwell) because the lover got jealous over another woman who was perhaps flirting with her down low guy. Many out there have made this all into a Greek tragedy though because of the perceived rights to privacy we all are supposed to enjoy as US citizens and bemoan the whole affair because it was all leaked to the press. Personally I think that it was necessary for the general to step down from the DCI post as well as be outed because he was DCI to start however, generally this thing has become the new digital slow speed chase in a white bronco all over again for me.

Sure, the schadenfreude is fun, and there are many gawkers and rubber necks out there watching with glee but in the end there is much more to this debacle than just getting some on the side within the political sphere. The bigger picture issues are multiple and I will cover them below, but to start lets just sit back and watch the calamitous demolition of those who partook and their hubris.

*pours whiskey into glass and watches*

Petraeus and His Fourth Amendment Rights as Director Central Intelligence (DCI)

Some (namely Rob aka @erratarob) bemoaned the general’s 4rth amendment rights being contravened and thusly, expanding to everyone’s in general as being egregious. My answer to Rob yesterday still stands today for me. As DCI of the CIA the general had no right to privacy in this vein. Why? Because as the leader of the CIA he was the biggest HVT that there ever was for some kind of blackmail scheme so common to the world of spooks. Though the general tried to be cautious, his lover began the downfall with her threatening emails to someone else. Now, usually this type of case would not even be one at all for the FBI were it not for the sordid affair of the SA who Kelley knew and went to to “look into” this matter for her as a favor. This was inappropriate in and of itself and a case never should have been logged never mind any investigation carried out by the SA to start with.

That the FBI agent began looking into the emails and actually tasked the FBI’s lab boys to look into it, well, then it became a case. OPR is looking into it all now and sure, something may come of that investigation (i.e. the SA will be drummed out maybe) it all changed timbre once Petraeus’ name became part of the picture. As DCI P4 held the top most clearance possible as well as the data attendant to that designation. As such, any kind of activity like this would immediately call for an investigation into what was going on as well as what kind of damage may have occurred through compromise of his accounts or his credibility. So, anyone who asks why this is such a big deal and why the FBI did what they did, you need to just look at that one salient fact. The problem isn’t that they investigated, the problem instead is that P4 was doing this in the first place and may have actually given Broadwell more access than he should have to information he had within his possession.

This of course still has to be investigated and reported on and that’s why it all came to pass.

The Expanded Powers of The US Government (LEA’s) To Search Your Emails and the Fourth Amendment

Meanwhile, the civil libertarians are all over this from the perspective that “We the people” have little to no privacy online as the government and LEA’s can just subpoena our email in/outboxes without any oversight. This has been a problem for some time now (post 9/11 really PATRIOT Act) so it should not be new to anyone who’s been paying attention. It is true though, that those powers have been expanded upon since the Patriot Act was passed but overall, the technologies have outstripped the privacy possibilities for the most part in my book. For every countermeasure there’s always another that can be used against it to defeat your means of protection. Add to this that the general populace seems to be asleep at the digital wheel as well and the government has a free hand to do whatever they like and get away with it.

Frankly, if you are ignorant of the technology as well as the laws being passed surrounding it then it is your fault if you get caught by an over-reaching LEA. It’s really that simple. If the general populace is not out there lobbying against these Orwellian maneuvers by law enforcement as well as using any and all technology to communicate securely then it’s their God damned fault really when they get pinched or spied on. It’s all of your jobs out there to know the laws, know what’s going on, and most of all, to know how to protect your communications from easy reading by LEA’s and others. I firmly believe that the laws on the books and the slip-space between where LEA’s and governments are abusing them is egregious but I as one person can do nothing to stop it from happening at a legal level. At a technical level though, that is a completely different story.

Your “Papers and Effects” Digitally… 

Now we come to a real sticky bit in this whole debacle. The Founding Fathers listed “Papers and Effects” while today the law and the government seem to think that electronically, neither of these terms apply to your online communications. Last year I sat through a tutorial by the EFF on this very thing and was not completely shocked by what they were saying as much as wondering just how people let this slide. According to the EFF the LEA’s see no relevance to the words papers and effects when it comes to an email inbox or a Dropbox. What this means is that they can just sneak and peek in some cases without a warrant or a subpoena. If you have email or files being hosted anywhere online, not on a system within the confines of your home, then it’s really fair game to them. I also assume the same can be said for any files/emails on any intermediary servers that they may pass through and are cached as well. So really, once you log in and create the email outside of your machine at home (i.e. being logged onto Gmail for example) it’s already not a paper or effect within the confines of your domicile.

Once again, the law is outdated and should be amended to cover discreetly the nature of email, its ownership and the protections that you “think” you have already as it is a paper of yours and thus covered by the Fourth Amendment. Will this happen though? I am not overly optimistic that it will even make the table with or without the likes of the EFF trying to push the issue frankly. The government has it the way they want it as well as their machinations via Patriot Act allow for so much latitude just to make their lives easier to snoop against anyone for fear of terrorism. Face it folks, we are pretty much Borked here when it comes to our online privacy, and not only from the LEA/Gov perspective either. Just take a look at all of the corporate initiatives out there in EULA’s and lobbying such as RIAA or MPAA. Any way you look at it, your data, once out of your local network, is no longer legally yours.

The Only Privacy Today That YOU Have Is That Which YOU Make For Yourselves With Crypto

This brings me to what you can do about all of this today. The only way to really have that privacy you desire is to make it yourself and to insure that it can withstand attacks. By using strong cryptography you can in fact protect your fourth amendment rights online. You have to insure that the crypto is strong, tested, and not back door’d but there are more than a few products out there on the market that will do the job such as PGP/GPG. In fact, Phil Zimmerman got into trouble with the US Government in the first place because PGP, to them, was considered to be a munition! So really, what is stopping you all from using it en mass? Well, i am sure there’s a healthy dose of lazy in that mix but I would have to say for many its the lack of comprehension on how it works and how to manage it that stops the general populace. Of course I have to say that PGP on a Windows box is really really easy to use so, once again we are back to lazy.

Anyway, unless you assiduously apply crypto to your communications, whether it be a PGP encrypted email or a chat session using OTR (Off The Record Messaging) consider yourself open to LEA abuse. The other side of that coin unfortunately is that if you are encrypting all your communications, the LEA’s may get to wondering just what you are up to and force the issue. I guess it’s much better to have them wondering and FORCE them to get a warrant to search your home then to just roll over and allow them to see all your dirty laundry (looking at you P4) because it’s open for the taking on a Gmail server somewhere. I mean, yeesh people, you worry about your second amendment rights all the time, moaning and whining about your need to carry a gun but you don’t do shit about encrypting your traffic?

*sad*

TRADECRAFT and OPSEC Are Important As Well

Another component that the general tried to use and failed so miserably at (which scares the living shit outta me as he was DCI after all) was the old “dead drop” method. The modern twist on this is the use of a Gmail account where you just log into it shared and leave draft emails for the other party. This has been something the AQ guys have been using for a long time and once again, it is futile to stop the LEA’s from seeing it all unless you encrypt it! This was the main failure in the case of P4 and his squeeze. No crypto allowed all the lascivious emails to be read in situ and that was just stupid. They through they were being so smart using a tactic that we have been monitoring AQ on for how long?

*duh*

The second massive failure on the part of both P4 and Broadwell (other than P4’s bad judgement of crazy women) was that neither of them were anonymizing their logon’s to the email properly and consistently. It seems perhaps this may have been more Broadwell than P4 but meh. In the end it was the downfall as the FBI tracked the IP addresses from the Google logons across the country to hotels where she was staying. All they needed to do in the end was match names for each hotel and BING they had her. At the end of the day, OPSEC is king here and both military veterans failed miserably at understanding this which is really frightening frankly. If you want to play the game know the OPSEC and TRADECRAFT and APPLY them properly. The same goes for you all out there who are crying about your privacy. You too will succumb in the same way if you do not pay attention.

Welcome To The Digital Panopticon

Finally, a parting thought. I have said this before and I am saying it again here. “Welcome to the digital Panopticon”  No longer are you in a place where there are corners to hide easily. With the governments of the world trying to gain control over the way we communicate electronically we will see increasing measures of privacy stripped in the name of anti-terrorism as well as transparency. Have no doubts that the governments that apply this logic will of course have back doors for their own secrecy but surely not yours. It will remain your problem and your duty to protect yourselves if you are using the infrastructure to communicate to anyone. Know this, say it as a mantra. If you do nothing about it, then you have nothing to complain about.

So I exhort you, learn and use encryption properly. Go to a cryptoparty near you and learn from the cipherpunks! Deny the governments of the world the ability to easily just look in on your lives whenever they feel the need without due process. Until such time as the laws are amended and some fairness put into it, you are just cattle for them to herd and cull.

There’s no excuse…

K.

Written by Krypt3ia

2012/11/14 at 18:27

Hello sir, I Just Sent You A PDF.. Can You Open It and Tell Me How Many Pages There Are?

with 5 comments

As Overheard From Two Bearded *NIX Masters

This morning I happened to overhear a conversation and a phone call that spurred it that, once all was said and done, had me thinking “WTF?” The phone call came in to a *NIX admin who, was asked to verify the number of pages within a pdf file that had been sent to them by the salesman on the phone.

*blink*

Uhh Say what? The admin did not go for it and was not willing to give out much information to the caller, but, after they had hung up I asked some pertinent questions about the call and just what they wanted from the admin. His response was that this had happened before on a few occasions and that he was just not interested in doing the dance with the sales rep at this time….

I was amazed at a few things in this exchange and immediately went into attack mode thinking as to what I had just witnessed and heard.

Uhhh Say WHAT? Sounds Like You Were Being Socially Engineered!

I informed the *NIX admin that this was really sounding like a social engineering exploit and asked just how many times and when (recently?) had this trend begun. He came back with a statement that then took me aback again;

“Yeah, well I really don’t care so much because I am running Linux on this box.. So the exploit would not work”

*blink blink —>head—desk*

“Sure, you are running Linux but that does not preclude the exploit being something else that would work on a *NIX system” was what was screaming through my head here. This guy is no slouch and neither is the other admin, but both pretty much had the same blasé attitude about it. Though, they did admit after I told them that it sounded like a new script for an old SE attack, they still seemed un-phased.

My response to all of this was to immediately dash off a communiqué to the C levels explaining the potential exploit and that I had wondered just how many other people in the company were potentially being asked to open .pdf files on their Windows systems with Adobe and compromising themselves! Needless to say, this was going to have to be a learning experience from more than a few levels and actions would have to be taken to alert the masses and gently remind them about the problems of SE in the wild.

…. Even for the likes of the *NIX admins who think they are immune to such puny attacks.. PFFT Windows *said like it was a social disease*

Situational Awareness

This is a teaching moment and I think that this is something that many companies need to pay attention to today. After all, how many systems have been breeched of late and thousands upon thousands of email addresses released to the masses? How many of those have in fact fallen into the hands of the phishers out there? What’s more, how many of those addresses of late have been for military or military/government affiliated people that are high value targets for APT activities?

Generally, people just aren’t thinking all that much when they get these calls. Sure, we tell them that people should never be asking them for their passwords and some of the low hanging fruit attacks of old, but now this..

Open this file would you? Tell me how many pages it has to verify that you got it would you?

Wow, how many people are falling for this one? Even if it is just a sales rep, this is clearly a SE attack in the hands of a sales person to keep the mark on the phone right? What has the world come to now that the sales teams are blatantly using SE tactics on the phone? What’s more, in this day and age of all the hacking going on and worries about industrial espionage just how many workers are just falling for it?

Never mind them just opening up the files willy nilly when they get them anyway right?

Situational awareness should be a KEY part to any companies security program and should be something that is ever present if you really mean to protect your assets. Of course some could make this out to sound like a police state kind of feel to corporate environments that want to be all touchy feely today (being the best places to work kind of thing) So, being so dialled in to security issues like SE attacks, might be seen as more big brother and paranoid than really a boon. I think that there is a median to tread on this and any program for security should be cognisant of this issue as well as proactive in teaching the employees how not to be so easily manipulated.

Though, as a rule today, I think we as a society are not so “situation-ally aware” as we should be.. But that is for another day…

As They Say.. “There Is No Patch For Human Stupidity”

There is a bumper sticker that I have seen at the con’s that makes the statement “There is no patch for human stupidity” I would like to change that to “There is no patch for human nature” What some see as stupidity is just human nature. I have written a few times in the past about my pov on this. People are no longer living on the savannah and have to worry about the lion in the grass. So, we as a species, have lost our ability to really sense danger and to listen to the little voice that we all have…

We instead might think we are just being paranoid… Well, there’s another phrase that you should be acquainted wit;

“Just because I am paranoid doesn’t mean that they aren’t out to get me”

People generally want to be helpful and can empathise with others. This is a main characteristic in our make up and something that can be lauded. However, it can also be used to the extreme by those who have more  “moral flexibility” than others lets say. So this will always be a problem and it should take a solid place in your security program… It’s just getting the C levels to understand and react..

That’s the key.

Anyway, pay attention folks. This SE exploit may be coming to you soon.. Or already is.

Happy Buffer Overflows!

Now, I have to write some more tutorials and re-program some *NIX beardy types…

K.

Written by Krypt3ia

2012/01/12 at 18:51