Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Social Engineering’ Category

Anonymous #HQ: Inside The Anonymous Secret War Room

with 7 comments

John Cook and Adrian Chen — Dissident members of the internet hacktivist group Anonymous, tired of what they call the mob’s “unpatriotic” ways, have provided law enforcement with chat logs of the group’s leadership planning crimes, as well as what they say are key members’ identities. They also gave them to us.

The chat logs, which cover several days in February immediately after the group hacked into internet security firm HBGary’s e-mail accounts, offer a fascinating look inside the hivemind’s organization and culture.

  • Sabu
  • Kayla
  • Laurelai,
  • Avunit,
  • Entropy,
  • Topiary,
  • Tflow
  • Marduk
  • Metric
  • A5h3r4

So, Hubris/A5h3r4/Metric have broken into the inner circle of at least one cell of Anonymous. I say cell because I do not think that these users are the actual full scale leaders of Anonymous, instead, as I have said before, there are cell’s of Anon’s that perform operations sporadically. These folks, if the chat transcripts are true, are the ones just behind the HBGary hack and at least one of them, with the Gawker hack.

Once again, I will reiterate here that I think Anonymous is more like a splinter cell operation than anything else. There is an aegis from the whole as an idea, but, they break off into packs for their personal attacks, or whatever turns them on. They coalesce into a unit when they feel moved to, but, they do not overall, just get together and act without direction on the part or parts of leaders.

The example below of the transcripts for #HQ show that these characters though, are a little high on themselves after the hack on HBG… And you know what happens when you don’t pay attention to the hubris factor. You get cocky and you get burned. As you can see below, some of them are at least nervous about being popped or infiltrated.. Those would be the smart ones…

04:44 <&Sabu> who the fuck wrote that doc
04:45 <&Sabu> remove that shit from existence
04:45 <&Sabu> first off there is no hierachy or leadership, and thus an operations manual is not needed

[snip]

04:46 <&Sabu> shit like this is where the feds will get american anons on rico act abuse and other organized crime laws
04:47 <@Laurelai> yeah well you could have done 100 times more effective shit with HBgary
04:47 <@Laurelai> gratted what we got was good
04:47 <&Sabu> if you’re so fucking talented why didn’t you root them yourselves?
04:47 <@Laurelai> but it could have been done alot better
04:47 <&Sabu> also we had a time restraint
04:48 <&Sabu> and as far as I know, considering I’m the one that did the op, I rooted their boxes, cracked their hashes, owned their emails and social engineered their admins in hours
04:48 <&Sabu> your manual is irrelevent.

[snip]

04:51 <&Sabu> ok who authored this ridiculous “OPERATIONS” doc?
04:51 <@Laurelai> look the guideline isnt for you
04:51 <&Sabu> because I’m about to start owning nigg3rs
04:51 <&marduk> authorized???
04:52 <@Laurelai> its just an idea to kick around
04:52 <@Laurelai> start talking
04:52 <&Sabu> for who? the feds?
04:52 <&marduk> its not any official doc, it is something that Laurelai wrote up.. and it is for.. others
04:52 <&marduk> on anonops
04:52 <&Sabu> rofl
04:52 <@Laurelai> just idea
04:52 <@Laurelai> ideas
04:52 <&Sabu> man
04:52 <&marduk> at least that is how i understand it
04:52 <@Laurelai> to talk over
04:53 <&Sabu> le sigh
04:53 <&marduk> mmmm why are we so in a bad mood?
04:53 <&Sabu> my nigga look at that doc
04:53 <&Sabu> and how ridiculous it is

[snip]

04:54 <&marduk> look, i think it was made with good intentions. and it is nothing you need to follow, if you dont like it, it is your good right
04:55 <&Sabu> no fuck that. its docs like this that WHEN LEAKED makes us look like an ORGANIZED CRIME ORGANIZATION

My observations though have always been that the groups would be infiltrated by someone and then outed. It seems that this may indeed be the case here if the data is indeed real. It seems to me that a certain j35t3r said much the same before, that he could and did indeed infiltrate the ranks, and had their data. Perhaps J has something to do with this? Perhaps not… Still, the principle is sound.

  1. Infiltrate
  2. Gather INTEL
  3. Create maps of connections
  4. Report

It would seem also that these guys are liminally aware of the fact that their actions can be seen as a conspiracy and that the government will not only get them on hacks potentially, but also use the conspiracy angle to effectively hogtie them in court. Let me tell you kids, there is no perfect hack… Well unless the target is so inept as to have absolutely no logging and does not even know for a very long time that they had been compromised.. Then the likelihood of being found out is slimmer, but, you guys popped and then outed HBG pretty darn quick.

I am willing to bet there are breadcrumbs.. And, those said breadcrumbs are being looked at by folks at some three letter agencies as I write this. You see kids, you pissed in the wrong pool when it comes to vindictiveness. I agree that HBG was up to bad shit and needed to be stopped, but, look at the types of things they were planning. Do you really think that they are above retaliation in other ways than just legal? After all, they were setting up their own digital plumbers division here huh?

Anyway… Just sayin…

Back on topic here with the Backtrace folks and the logs. I have looked at the screen names given and have come to the conclusion that they are all generic enough that I could not get a real lock on anything with Maltego. I had some interesting things pop up when you link them all together, but, overall not enough to do anything meaningful. The other issue is that Maltego, like any tool using search engines and data points, became clogged with new relational data from the articles going wide. I hate it when the data is muddied because of this.

So, yeah, these names are not unique enough to give solid hits. Others though who have been re-using nicks online as well as within the confines of Anonops, well that is another story. I just have this feeling that there are larger drift nets out there now hoovering all you say and do on those anon sites, even if they are in the .eu space. I still have to wonder if any of those IRC servers have been compromised yet by certain intelligence agencies.

One wonders too if China might also be playing in this area… How better to sow discontent and destabilize than to use a proxy like Anonymous for operations?

For that matter.. How about the CIA?

NSA?

Think on it… Wouldn’t Anonymous make a perfect false flag cover operation?

For now, I am going to sit and watch. I would like to see the full chat transcripts though. Now that would be interesting.

“May you live in interesting times”

Indeed.

K.

Anonymous vs. Anonymous: Enough Hubris To Go Around

leave a comment »

The nameless revolution that calls itself Anonymous may be about to have its own, online civil war.

A hacker startup calling itself Backtrace Security–made up of individuals who formerly counted themselves as part of Anonymous’ loose digital collective–announced plans Friday to publish identifying information on a handful of active members of Anonymous. According to one source within the Backtrace group, it will release the names and instant messaging logs of dozens of Anonymous hackers who took part in attacks onPayPal, Mastercard, the security firm HBGaryWestboro Baptist Church, and the Marine officials responsible for the detainment of WikiLeaks source Bradley Manning.

That spokesman, who goes by the name Hubris and calls himself BackTrace’s “director of psychological operations,” tells me that the group (Backtrace calls itself a company, but Hubris says it’s still in the process of incorporating) aims to put an end to Anonymous “in its current form.” That form, Hubris argues, is a betrayal of its roots: Fun-loving, often destructive nihilism, not the political hacktivism Anonymous has focused on for much of the past year. “[Anonymous] has truly become moralfags,” says Hubris, using the term for hackers who focus on political and moral causes instead of amoral pranks. “Anonymous has never been about revolutions. It’s not about the betterment of mankind. It’s the Internet hate machine, or that’s what it’s supposed to be.”

The rest is HERE

“Cyberdouchery” it’s a term coined within the last year as far as I know for snake oil or hype mongers within the Infosec community. I have to say that this alleged group of ex-anon’s kinda fits the term for me. Whether it’s the reason that they state of being tired of Anonymous’ being moral fags, or the idea that they just want to get back to their troll roots, I pretty much just think its a publicity stunt. Of course, the darker side of me could see the way to believing that this is just some sort of psyop by person/persons unknown to get a reaction out of Anonymous.

I have written in the past about the herd mentality as well as convergence theory where it regards Anonymous. In each of those scenarios though, there is the idea that there are leaders. No matter the number of times Anonymous may say they are leaderless, I say that this is just impossible from the point both of these theories take. Even if someone is a leader for a day or minute, there is a leader, and there are followers, either anointed by the pack or by themselves. There are also the minions that do the work, such as the mods and the managers of the servers and systems. Those too could be seen as leaders within the infrastructure too. Now it seems though, that this new group is going to attempt to name leaders by use of social engineering and data collection.

… And that is what Aaron Barr wanted to do.. Well sorta… Then he shot himself in the foot with his own machine gun of hubris.

All in all though, this looks to be on the face of it, just an attempt at #LULZ by these folks at Backtrace. The use of the crystal palace image alone screams nearly the same shrill tune as using too many numbers in one’s nickname in leet terms. If you look closely though, you will see that they also claim to offer services such as “Cyber Espionage” *blink* Not counter intelligence nor counter cyber espionage, but cyber espionage. Just as they also offer cyber warfare and a host of other hot terms with cyber in them. That just reeks of the cyberdouchery I spoke of at the top of the post. So, in reality I don’t take this all too seriously.

I guess we will just have to wait and see what develops with this insurance file and the alleged outing that will happen…

There will be #lulz

K.

The force with no name: By Antonia Zerbisias of The Star

leave a comment »

 

 

The force with no name


SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC

with 5 comments

 

The establishment of a Corporate Information

Reconnaissance Cell (CIRC) will provide Hunton &

Williams LLP with a full spectrum capability set to

collect, analyze, and affect adversarial entities and

networks of interest.

From: Team Themis pdf


CIRC: The New Private Intelligence Wing of (insert company name here)

The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.

What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.

You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?

Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?

A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.

In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate

The Technology:

I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.

Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.

There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.

The ANONYMOUS names file

This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.

The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.

What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.

Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.

The INFOSEC Community, HBGary, and Spook Country:

Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.

HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.

So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”

There is no black and white. There is only gray now.

The Morals:

And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.

It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.

So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.

Conlcusion:

We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.

The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.

If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.

The only privacy you truly have, is that which you make for yourself. Keep your wits about you.

K.

HB Gary: Hubris, Bad Science, Poor Operational Methodology, and The HIVE MIND

with 2 comments

Algorithms, Social Networks, and COMINT:

When I had heard that HB Gary had been popped and their spool file was on PB I thought that it was unfortunate for them as a fairly well known company. Once the stories started coming out though with the emails being published online, I began to re-think it all. It seems that Aaron Barr really fucked the pooch on this whole thing. He primarily did so due to his own hubris, and for this I cannot fault Anonymous for their actions (within reason) in breaking HB Gary and Barr’s digital spine.

It seems that Barr was labouring not only a flawed theory on tracking social networks, but also in that he planned on selling such a theory and application to the government. One notion was bad, and the other was worse. First off though, lets cover the science shall we? Barr wanted to track users on social networks and show connections that would lead to further data on the users. The extension that he was trying to make was obtaining actual real names, locations and affiliations from disparate sources (i.e. Facebook, Twitter, Myspace, IRC, etc) While this type of data gathering has been done in the past, it has not usually been culled from multiple sources automatically electronically and then strung together to form a coherent pattern. In short, Barr was wanting to create software/scripts to just scrape content, and then try to connect the dots based on statistics to tie people to an entity like Anonymous. The problem, and what Barr seemed to not comprehend, is that the Internet is a stochastic system, and as such it is impossible to do what he wanted with any kind of accuracy. At least in the way he wanted to do it, you see, it takes some investigation skills to make the connections that a scripted process cannot.

This can be seen directly from the article snippet below where the programmer calls Barr on his flawed logic in what he was doing and wanted to do.

From “How one man tracked down Anonymous and paid a heavy price

“Danger, Will Robinson!”

Throughout Barr’s research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his “analysis” work, but doubts remained. An email exchange between the two on January 19 is instructive:

Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group.

Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.

Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.

Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.

Barr: Noooo….its about probabilty based on frequency…c’mon ur way smarter at math than me.

Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.

Barr: [redacted]

Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.

Barr: [some information redacted] On the gut feeling thing…dude I don’t just go by gut feeling…I spend hours doing analysis and come to conclusions that I know can be automated…so put the taco down and get to work!

Coder: I’m not doubting that you’re doing analysis. I’m doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it’s right. You’re still working off of the idea that the data is accurate. mmmm…..taco!

Aaron, I have news for you, the coder was right! Let the man eat his taco in peace! For God’s sake you were hanging your hat completely on scrape data from disparate social networks to tie people together within a deliberately anonymous body of individuals! Of course one could say that this is not an impossible feat, but, one would also say that it would take much more than just gathering statistical data of logins and postings, it would take some contextual investigation too. This was something Barr was not carrying out.

I actually know something about this type of activity as you all may know. I do perform scraping, but, without real context to understand the data (i.e. understanding the users, their goals, their MO, etc) then you really have no basis to predict what they are going to do or really their true affiliations. In the case of jihadi’s they often are congregating on php boards, so you can easily gather their patterns of friendship or communications just by the postings alone. Now, trying to tie these together with posts on other boards, unless the users use the same nick or email address, is nearly impossible.

Just how Aaron Barr was proposing to do this and get real usable data is beyond comprehension. It was thus that the data he did produce, and then leak to the press enraged Anonymous, who then hacked HB Gary and leaked the data in full claiming that none of the data was correct. Either way, Aaron got his clock cleaned not only from the hack (which now claims to have been partially a social engineering attack on the company) but also from the perspective of his faulty methodologies to harvest this data being published to the world by Anonymous.

OSINT, Counter-Intelligence, and Social Engineering:

The real ways to gather the intelligence on people like Anonymous’ core group is to infiltrate them. Aaron tried this at first, but failed to actually be convincing at it. The Anon’s caught on quickly to him and outed him with relish, they in fact used this as an advantage, spurring on their own efforts to engineer the hack on HB Gary. Without the right kind of mindset or training, one cannot easily insert themselves in a group like this and successfully pull of the role of mole or double agent.

In the case of Anonymous though, it is not impossible to pull this off. It would take time and patience. Patience it seems that Aaron Barr lacked as much as he did on scientific and mathematical method where this whole expedition was concerned. Where his method could have been successful would have only come from the insertion of an agent provocateur into the core group to gather intel and report back those connections. Without that, the process which Aaron was trying would have yielded some data, but to sift through it all with interviews by the FBI and other agencies would have become ponderous and useless in the end.

It is my belief that there is a core group of Anon’s as I have said before. Simply from a C&C structure, there has to be an operational core in order for there to be cohesion. This can be seen in any hive structure like bees, there are drones, and there is a queen. A simple infrastructure that works efficiently, and in the case of anon, I believe it is much the same. So, were one looking to infiltrate this core, they would have a bit of a time doing so, but, it could be done. Take out the core, and you take out the operational ability of the unit as a whole to be completely effective. To do this though, one should be able to understand and apply the precepts of counter intelligence warfare, something Barr failed to grasp.

In the end.. It bit him pretty hard in the ass because he was in a hurry to go to press and to sell the ideas to the military industrial complex. Funny though, the real boys and girls of the spook world would have likely told him the same thing I am saying here… No sale.

Oh well… Arron Icarus Barr flew too close to the anonymous sun on wings made from faulty mathematical designs and burned up on re-entry.

K.

“Strutting and fretting his hour upon the security industry stage, And then being heard no more”

with 4 comments

The Frustration And Gnashing of Teeth:

Recently, I have heard others lament the state of the “security industry” as well as have posted about my own adventures into the land of FUD and Security Theater as well as a side trip into the shadow lands of denial. My last post about a call that went awry also got responses from others in the business including Mr. Reiner, who had a post somewhat similar to what I had written about, but took it further. His post mirrors much of what I am hearing and feeling myself now 13 years into it.

  • The industry has become just that, an industry that makes cookie cutter security and passes mediocre services as “state of the art”
  • The industry is now full of salesman and charlatans like Gregory Evans and Ligatt
  • The clients still just don’t get it and often do not want to
  • There are too many bells and whistle firms but too few true “holistic” security offerings out there
  • The exploits and vulnerabilities are growing at a rate faster than Moores Law and never will there come a time when you can catch up
  • Nothing is truly secure
  • Regulations are inadequate mechanisms for security best practices inspiration (notice I do not say compliance here)
  • Coders and the companies that hire them are coding insecurely and do not wish to change that
  • Greed is Good (Gordon Gekko)

Generally, the experience out there is that as everything else that someone loves to do as an avocation which turns into a vocation, becomes not so much fun anymore when business gets involved…. Especially big business. Unfortunately, this is exactly what has happened today with information security/technical security. It has become a pre-packaged, pick your services lunch counter style of operation and you rarely get what you really need and instead get the fatty happy meal instead.

Taking A Step Back:

As professionals in the field we all have different skill sets and personal bents on and in the security theater. I am putting us all into the “theater” because really, we are all like Shakespeare’s players who: “struts and frets his hour upon the stage, And then is heard no more” We are in fact often times the character of “The Fool” The one man who is the outward conscience of the king and the one person in the court who can tell the truth to the monarch that they indeed have no clothes on. Of course this really only works for those who are contractors/consultants and can then leave the site after leaving a report on their vulnerabilities and how to fix them. Unfortunately, if you are a full time employee of said “court” you may indeed find yourself in the oubliette quickly enough. We need to embrace this fool role and then decide just how we will approach our careers as well as the means in which we ply our trade for the betterment of the courts we serve in.

One must remember that we all serve the will of the king… And sometimes the king is an idiot, lout, Luddite, or schmuck.

My Goal Here:

My goal with this post and what I think is shaping up to be a series of them, is to cover the players involved here, the game being played, and the realities of our business. So many of us are running into the same walls and I have been hearing the same things over and over from you all out there as well as in my own head as I deal with clients. All too often we do our best to tell the client that they have things that are vulnerabilities within their organizations as well as their infrastructures all for naught.

Others see the bigger picture of with everything that we do, there still is always a way into the org and their infrastructure and a method to steal their data. All too often this also happens because of simple low hanging fruit attacks such as SE attacks or completely un-secured networks that lack policies and processes that might in fact prevent much of the attacks from happening were they documented and in force.

Still others see the grand scale of not only the snake oil salesmen out there but also the malfeasance of the companies that make the software and hardware systems (might I mention ATM machines Deibold? yeaaahhh I think I will) that are completely insecure and egregiously so! Even in this day and age where hacking/cracking is so prevalent they STILL do not want to take the time and the effort to code securely… And as Weld Pond said today

“YOU SHOULD BE ASHAMED OF YOURSELVES! THESE ARE SYSTEMS THAT PASS OUT MONEY!” *paraphrase likely there*

To that end, I have created the following framework for the posts to come. Some of them are posed as questions and if you like, you can comment answers that you think apply. Overall though, I would like to pull the security industry apart as well as the motivations for not only the vendors, but also the clients. I want to lay out all the players and variables, examine them all, and then come up with a strategy for what I am currently calling “Holistic Security” (I know all scented candle touchy feely new age sounding) A method of looking at the security needs of a client and offering them what they really need as well as methods to bring that client to the troth to drink from the security well.

I know.. This is going to be nearly impossible huh?

It’s either this or just packing it in and walking away though… Really… Once you reach a point where you hate the job and you feel constantly that you are doing nothing to change things you either have to walk away, or make drastic changes happen.

What do you think? Don’t you think that with all our SE and other skills we ought to be able to overcome all this?

Check out the future post framework and let me know… I will work on the players tomorrow.

CoB

The Players:

Some of us Just Want to Have It Done Right:

Some of Us Just Want to Hack and Do Cool Shit:

Some of us just want to Be Researchers:

Some Are Just LIGATT:

The Playing Field:

Current Approaches to Security Auditing:

Can There Be A Holistic Security Approach?:

Can We Get Companies to Code Securely and Ethically?:

Opposing Forces:

The Government and Compliance:

The Corporation and the Seven Deadly Sins:

Crackers, APT, and Bulgarians Oh My!:

Every Fortress Falls:

Troy

Sparta

Lockheed Martin

Is There A Framework and Methodology For Holistic Security?:

Security Basics:

Security Awareness vs. Human Nature:

Policies, Procedures, Standards, and Compliance:

Penetration Testing:

Social Engineering:

Written by Krypt3ia

2010/07/29 at 01:42

Gregory Evans: Psychological Profile of a Lackluster Conman

with 3 comments

Wow Mr Crabyolbastard, you failed the test just like I thought you would. This time you even got your wires all mixed up. You get a NO GO at this station. Sorry that you can’t play with the Big Boys without squeeling like a wild pig. Tut…Tut…Now What?

darby.chuck@yahoo.com
68.153.132.46

This crabbyolbastard guy has way too much time on his hands, but hey, he’s getting Greg more publicity. I tell you, Evans is probably the most popular guy in the cyber security industry! keep em talking Greg and continue to prove them wrong! Im rootin for ya!

…. And as for you, you crabby. old. bastard……. GET A LIFE!

dscraigen@gmail.com
68.153.132.46

Oh Greg, I have a life, and that life now includes removing you from the information security theater stage. You see, you came to me, not I to you in this matter, and well, you made a mistake in judgement with your “n01hack3r” thing. Greg, you pissed off the wrong people like I told you before, ya know, the aphorism about hackers being subtle and quick to temper? Well, you have more than a few out there in the “community” gunning for you now, and yet, you spend time on my blog reading it, looking up the big words on the “Googles” and responding via your cavalcade of BellSouth sip/adsl addresses claiming to be others while we know all along that its you. So this post has a couple of functions for me.. Let me lay them out for you.

1) I get under your skin.. I have a habit of doing that on this blog and well, I enjoy being the cause of your mental anguish. I intend to get further under your skin like an embedded tick. I plan on leaving you after this post with the nagging self doubt that haunts you in your silent spaces during the day. Think of me as your new personal Hannibal Lecter and you, you are my cell mate next door “Multiple Migs”

2) To outlay to the world in Neuro-Linguistic Programming, a picture of your inner workings, your fears, your failings, and generally, hasten you to your cataclysmic utter failure oncoming. All packaged up in a neatly ordered and well thought out analysis of you Greg.

So, lets get to it shall we? Oh, and Greg, when you respond, and I know you will, if you can’t follow the conversation even with my little links to help you with the big words, you will have to just move on over to the kids table, this is adult talk now.

Gregory,

I know where you are mentally right now. Your dreams of bling and cheap-n-easy young ladies are quickly becoming nothing but faded ambitions due to your age, your rapidly emptying bank accounts, and the light being shown on you as a charlatan and a con man. It must eat at you during the quiet moments all this failure, it haunts you I am sure. The reason why it does is not so much because you care at all for the shareholders of your company, but more so about your own dreams of self aggrandizement. Its all just a niggling feeling at the back of your mind and then you start to realize that soon, there will be nothing left and your charade will be completely exposed and it makes you break out in a cold sweat all alone at night doesn’t it?

And yet, instead of giving in and moving on to something else, you feel trapped and have to fight against the tide of reason. You strive on to show that you are really all those things that you claim to be, but know that you are not.

Successful

A knowledgeable man on subjects such as computer security

A pillar of the community

A God fearing and righteous man

A raconteur

Generally, a good guy

You must have those momentary pangs when you think of your mother, perhaps of your father, but I guess more about your mother, that she is proud of you. You know though, because you have lied and conned your way to where you are now that she likely is not. It is in these small moments when you are alone at night, that you realize that you are none of those things above. You look back at your life and you think about the places where you might have done things differently.. But, its too late now. This, this is the end of the line.

So it is, with each passing day post your being thrust into the light like a cockroach behind the fridge, your revenue stream being broken by the truths being told, that you increasingly see the only way to fight is to lie more, with more extravagance, and to use what little wits you have to attempt to sway the tide of press.

Yet again, at the end of each day, the failure comes to you at night like a specter doesn’t it Greg? Alone in your bed after all the gold digger girls have gone because you cannot afford them any more, it haunts you. You feel it though Greg, you can see the path to the pain’s release but you just aren’t man enough yet to take the path are you?

The path of admitting you are a failure. You had your time when you passed yourself off and bilked your friends, acquaintances, and shareholders, but those days are gone.

Painful isn’t it… No longer are you the big man Gregory…

Each day you are beset by the news on the internet. The truths being dug up about you and published. I assume the calls from your shareholders that you borrowed all that money from (600K+ last I looked) must be on their minds as you let it go to voicemail. Hard to avoid them too I suppose as you go out of the house or go into one of your marble gilded bathrooms. It must also haunt you, the knowledge that the people you thought you had hoodwinked now see the truths of it all.

Then the possible future teases into your mind. You could be going to jail again. This time, it may not be so short a stay and you know that you are going to have to nut up inside or be passed around for a pack of smokes. All those sticky painful incidents of being someone’s bitch inside must also go through you mind. One shudders to think.

So on you go, posting all kinds of press to make your “company” look better and try to resurrect it all. All in the hopes of those glory days of spending the capital that the shareholders give you for skyboxes, expensive cars, and coochie to impress all of those people you so want to be friends with.

The glitterati.

All the while though now, you know that this is not to be, and it pains you. After all, you are a prideful man aren’t you…

Sometimes though, you think about just disappearing… Starting over…. Perhaps you should.

Of course, then you’d be on the run from the charges surely to be filed. But, after all, you are better suited to running than you are to fighting. Cowardice seems to be your stock in trade. You make veiled threats through emails and you get hot quickly lately don’t you? It must be all the stress.

But you know, they (the security community and the authorities) will not go away…

Best to run Gregory… Before it all collapses in on itself further….

Listen to that niggling little voice Greg….

Written by Krypt3ia

2010/07/20 at 14:26

The Consultant Was a Spy

leave a comment »

Heathfield was also pitching a software program he claimed to have developed, called FutureMap. He described it to sources and in writing as a program that would reside on a company’s internal computer network. Users could plug in variables such as election results and technological breakthroughs to see how events might affect their businesses and future strategies. A screen capture of FutureMap shows a timeline tracking events over the course of many years in a variety of categories, including “Energy and Environment” and “Medicine & Biogenetics.”

Sources who met with Heathfield about FutureMap now believe the software could have been used to steal corporate information and send it back to Russian intelligence officials without the companies’ knowledge. . . . . . Sources were unnerved by how sophisticated and polished Heathfield’s pitch was. If not for the FBI’s intervention, one source speculated, Heathfield could have made a successful sale, installed the software, and started sending information home. “If he had a few more customers and better marketing, he could have really pulled off something tremendous.” . . . .

Full article here:

Back when I was a road warrior for IBM, many people who knew me (friends and family) actually half thought that I was not an IBM employee, but some kind of spook. I have to admit that due to the nature of what I was doing I couldn’t really talk about exactly what I was doing, but I could tell them I was here or there etc.. Unlike real spooks. In the case of Heathfield, well, he turned out to be a real spook and gee, look at that, he was a self branded “consultant” whod’a thunk it huh?

The fact is that the CIA often uses NOC agents in the role of consultants or reps for “front companies” or even legit companies as a cover for their NOC (Non Operational Cover) identities or “legends” They go into places under the guise of business like an Oil company that may in fact be the target of their collection activities. It’s an old trick and it always will be the case, there is nothing new here save that this guy was in fact perhaps peddling software that was pre-pwn3d and could tunnel the “clients” data out to mother Russia. A rather nifty idea really but again, nothing new.

So, won’t you now look on the new consultant as not only perhaps a Bob (oblique Office Space reference) but also maybe the next corporate spy?

THIS is what should happen but I am sure will not. You see, the vetting process for employing people oftentimes is too weak if at all in place at companies. All too many times people do not check references nor do they do the criminal background checks on new hires or prospectives. Never mind the fact that most of the time its easy enough to get onto a corporate facility with faked credentials or none at all and gain access to data, terminals, hardware etc. Hell, just how many places have a separate vlan or drop for internet access for visiting consultants or perspective clients?

Put it this way.. Can anyone just plug in and get a DHCP address on your network? If they can, well game over man.. Even more so if you have a weak AP system for wireless (can you saw WEP?) So that “consultant” whether or not they are meant to be there or have just socially engineered their way into the building may already be on your network and tunneling out gigs of data as you read this…

So one of them turned out to be a real bona fide Russian illegal WOOO HOOO! Worry about all the others out there from ever other land as well as corporate entity looking to steal your shit.

Pay attention! So can the DHL Guy, the I.T. Guy, The Mail Man, The Temp, The Plumber, Janitor, etc etc etc…

CoB

Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept

with 2 comments

So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.

The Robin Sage Affair:

Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.

The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.

In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.

Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.

Hardwired:

It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.

As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.

Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”

See where I am going with that?

So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.

We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.

Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;

“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”

Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.

“The Swallow” or “Honeytrap”

How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.

The Community:

So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.

Use this experience to teach others.

Object lesson learned.

Full CSO article HERE

CoB

#LIGATT A Cautionary Tale of Cyber-Security Snake Oil

with 10 comments

The Charlatan of the Intertubes:

Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;

1) Plagiarism is just wrong.

2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.

Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.

Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;

  • His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
  • None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
  • His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
  • None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
  • He immediately played the race card in response to the allegations of his plagiarism and fraud
  • In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)

Here are some more examples via Twitter:

#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo

#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc

#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..

#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy

#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names

♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE

Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.

Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.

This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!

The “Industry”

The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.

Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.

The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…

I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.

Security is a voyage… Not a destination:

This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.

I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.

It’s really all about the basics…

So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…

CoB